Frequently Asked Questions
Got questions? We've got answers. Find quick solutions to common queries below.
HIPAA is built on five main rules — Privacy, Security, Breach Notification, Enforcement, and the Omnibus Updates. Together, they govern how PHI is handled, protected, and disclosed.
The Privacy Rule applies to all forms of PHI (oral, paper, electronic) and controls use and disclosure. The Security Rule focuses specifically on electronic PHI (ePHI) and requires technical safeguards like encryption and access controls.
Covered entities must notify affected individuals and OCR within 60 days of discovering a breach. Large breaches (over 500 people) also require media notification.
Depending on severity and intent, fines range from $100 to $2 million annually — plus corrective action plans and monitoring requirements.
The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) handles HIPAA enforcement, investigations, and penalties.
Focus on risk assessment templates, regular staff training, encrypted EHR systems, updated Business Associate Agreements, and quarterly policy reviews.