What Is Private Rule and Security Rule in the HIPAA?

What Is Private Rule and Security Rule in the HIPAA?

Private Rule and Security Rule are critical components of HIPAA or the Health Insurance Portability and Accountability Act, signed by President Bill Clinton in 1996. The law is considered a breakthrough in the health industry, especially in setting standards to protect the private information of patients and other individuals in the medical and insurance fields.

Private Rule and Security Rule Explained

In essence, the Private Rule covers the healthcare provider while the Security Rule covers the third-party service that will inevitably handle confidential information in the performance of their duties.

The Privacy Rule is the first layer of security to ensure that private information remains confidential. For instance, the hospital is mandated to limit access to the patient data to a few authorized persons. The access and handling of data should also be adequately tracked to find lapses and gaps in the transmission process. This also helps isolate the incident in cases of a data breach and find the person responsible.

The Security Rule, meanwhile, adds another layer to the security. This provision covers the third-party service providers, which are called the primary entity’s “business associates.” They include multiple professions and practices.


If you are a lawyer for a hospital, you are covered under the Security Rule. In such, you should employ physical and technical safeguards to ensure that private information is protected. The same goes for accountants, and IT services providers.

One field that is often overlooked is the courier service, which is covered by the HIPAA. Make sure that the mailing service you hire is HIPAA-compliant, so you don’t run afoul with the law.

Penalties in the HIPAA

The penalties contained in the HIPAA are classified into tiers, which defines the gravity of the offense. This is why you should always bear in mind that HIPAA and postal mail are both interconnected.

❖ Tier 1: This is when the healthcare provider could not have known about and is not complicit to the data breach. It will still cost you from $100 to $50,000 in fines.

❖ Tier 2: This is when the healthcare provider could have avoided the breach with due diligence. However, they continued to ignore the risks. The penalty ranges from $1,000 to $50,000 for each incident.

❖ Tier 3: This is applied when there was “willful neglect” on the part of the healthcare provider, for instance, in the case of the HIPAA and postal mail service. The penalty ranges from $10,000 up to $50,000 per incident as long as the entity has instituted corrective measures within 30 days.

❖ Tier 4: There was “willful neglect” on the part of the healthcare provider but continues to violate the law by not taking any actions to address the risks. The cost of the penalty ranges from $50,000 up to $1.5 million per incident.

That means, conservatively speaking, if you have ten patients whose records are compromised due to willful neglect, you are looking at $11.5 million in fines for the top-tier penalty.


Previous Best Scooter Riding Gear {for City Riding}
Next Find a Financial Advisor Your Entire Family Can Trust

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *