Table of contents

1. Privacy Rule 2. Security Rule 3. Breach Notification Rule 4. Transactions Rule 5. Identifiers Rule FAQs Next steps Additional resources

Get the industry’s fastest, most secure hosting ◦ 100% network uptime
◦ Comprehensive security
◦ 24/7 support

HIPAA → 4 Rules

5 HIPAA rules, from privacy to security and more

Whether you’re in the healthcare industry or your business model lends to clients in the Healthcare Industry, HIPAA is likely at the forefront of your thoughts. But what is it, and how does it affect your data specifically?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation establishing rules, regulations, and potential levies around treatment and use of Protected Health Information (PHI).

That’s a mouthful! Translated into lay-speak that sentence amounts to this: If you touch private medical data, it’s your job to ensure it is kept safe.

Often there is a misconception about lines of responsibility which has caused several well-documented issues including tens of millions of dollars in fines and settlements.

Avoiding these fines and settlements is of paramount importance to the health of your business. The first step is learning your responsibilities. HIPAA compliance is broken into four rules which govern four major points of compliance. Each aspect requires its own processes and procedures to maintain that compliance.

Get HIPAA-compliant hosting

Standalone servers in private data centers with industry-leading security

Explore HIPAA hosting

1. HIPAA privacy rule

The HIPAA privacy rule establishes national standards for the use and disclosure of protected health information (PHI) by covered entities and their business associates.

The privacy rule defines PHI broadly, including any information that can identify a patient and relates to their physical or mental health, healthcare services, or payment for healthcare. This includes not just obvious data like names and Social Security numbers, but also medical record numbers, addresses, and even certain biometric data.

For healthcare organizations, this means access to PHI must be limited to the minimum necessary to fulfill a specific purpose. Non-treatment uses—like marketing—require explicit patient authorization. The rule also grants patients the right to review their own records, request corrections, and obtain copies.

Operationally, this shifts data governance from a purely technical matter to a policy-driven framework. Even if your infrastructure is technically secure, sharing PHI without proper consent could violate the privacy rule. Policies, training, and system-level safeguards must all work together.

Steps to compliance

Conduct a data inventory to identify all sources of PHI
Develop policies for PHI access, use, and disclosure
Train staff on minimum necessary standards and authorization procedures
Implement systems to log and audit data access
Provide mechanisms for patients to request access to and amendments of their records

What it means for HIPAA-compliant hosting

If your website, patient portal, or database stores PHI, hosting providers must also follow privacy rule requirements. This includes signing a business associate agreement (BAA), ensuring secure authentication, and configuring access controls so only authorized personnel can access patient data.

2. HIPAA security rule

The HIPAA security rule requires covered entities and business associates to protect electronic protected health information (ePHI) with administrative, physical, and technical safeguards.

While the privacy rule governs when and why PHI is used or shared, the security rule governs how it is protected in electronic form. The three safeguard categories are:

Administrative: Risk assessments, policies, workforce training, and contingency plans
Physical: Facility access controls, workstation security, and device/media management
Technical: Encryption, authentication, audit controls, and transmission security

The security rule is intentionally flexible, allowing organizations to choose technologies and procedures suited to their size, complexity, and resources—provided they effectively reduce risk to ePHI.

Patients benefit from reduced exposure to cyberattacks, accidental data loss, or unauthorized internal access. The rule ensures healthcare technology is designed with security as a core requirement, not an afterthought.

Steps to compliance

Perform a comprehensive risk analysis for ePHI
Implement role-based access controls and unique user IDs
Encrypt ePHI at rest and in transit
Maintain secure backup systems and disaster recovery plans
Deploy intrusion detection, firewall protection, and regular vulnerability scans

What it means for HIPAA-compliant hosting

HIPAA-compliant hosting must support these safeguards natively or allow you to implement them. This includes secure data center access, network segmentation, encrypted storage, and the ability to restrict database queries to authorized applications or users.

3. HIPAA breach notification rule

The HIPAA breach notification rule requires covered entities and business associates to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases the media, after a breach of unsecured PHI.

A “breach” is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the privacy rule that compromises its security or privacy. The rule mandates notification within 60 days of discovery and includes specific content requirements for those notifications.

Not every incident qualifies as a breach—risk assessments can determine whether the probability of compromise is low enough to exempt an event from reporting. But any delay or mishandling of notification can lead to significant penalties.

For patients, timely notification allows them to take steps to mitigate harm—such as monitoring accounts, changing passwords, or disputing fraudulent activity—before damage escalates.

Steps to compliance

Define “breach” in internal policies consistent with HIPAA
Develop and document an incident response plan
Train staff to detect and report potential breaches
Maintain breach logs and notification templates
Coordinate with legal and compliance teams for timely reporting

What it means for HIPAA-compliant hosting

Hosting environments should include breach detection capabilities, such as log monitoring, intrusion detection systems, and automated alerts for suspicious activity. The ability to produce access logs quickly is critical for investigating and documenting potential breaches.

4. HIPAA transactions rule

The HIPAA transactions rule standardizes the electronic exchange of healthcare-related administrative and financial data using specific formats and code sets.

This rule applies to common transactions like claims submission, eligibility verification, referral authorization, and payment remittance. The goal is to make these processes faster, more accurate, and more cost-effective by enforcing the use of standardized electronic data interchange (EDI) formats, primarily ANSI X12.

For IT leaders, this rule affects not only billing systems but also any hosted application that interfaces with payers, clearinghouses, or other covered entities via electronic transactions.

Patients benefit from more efficient claims processing, fewer administrative errors, and faster reimbursements—reducing delays in care caused by payment disputes.

Steps to compliance

Ensure all systems handling HIPAA-covered transactions support required formats
Validate code sets (ICD-10, CPT, HCPCS) for accuracy
Maintain secure EDI transmission protocols
Conduct periodic testing with payers and clearinghouses
Document transaction processes for audit readiness

What it means for HIPAA-compliant hosting

Hosted platforms handling these transactions must be capable of securely processing and transmitting standardized data formats without altering content. Hosting providers may need to support secure EDI gateways, encrypted file transfer protocols, and transaction logging.

5. HIPAA identifiers rule

The HIPAA identifiers rule standardizes and protects unique identifiers for individuals, providers, employers, and health plans in transactions and recordkeeping.

Identifiers like the National Provider Identifier (NPI), Employer Identification Number (EIN), and standard health plan identifiers are essential for ensuring accurate data exchange. Misuse of these identifiers can result in misdirected care or billing errors.

For covered entities, proper use of these identifiers is mandatory in HIPAA-standard transactions, and unauthorized disclosure is prohibited. These identifiers often appear alongside other PHI, increasing their sensitivity.

Patients benefit from reduced errors in health record matching and claim processing, ensuring care and billing are linked to the correct individual or provider.

Steps to compliance

Use standardized identifiers in all applicable transactions
Limit access to identifier data to authorized personnel
Include identifiers in PHI protection policies and training
Audit systems to verify correct identifier use
Secure identifiers in storage and transmission

What it means for HIPAA-compliant hosting

Hosting environments storing these identifiers must treat them as PHI, implementing the same encryption, access control, and audit measures used for other sensitive health data. Databases should be configured to restrict query access to identifier fields and log any access attempts.

HIPAA rules and hosting FAQs

Yes. Any hosting provider that stores, processes, or transmits ePHI must support compliance with the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule. Their infrastructure, policies, and personnel must be aligned with HIPAA standards.

HIPAA doesn’t specify which database technology to use. Rather, it sets the security standards that must be met. Whether you’re using SQL, PostgreSQL, or a NoSQL database in a private cloud or dedicated environment, compliance depends on how that environment is configured and managed.

Here’s what that means in practice:

Business Associate Agreement (BAA): Any hosting provider that can access or store ePHI is considered a Business Associate and must sign a BAA with your organization. This contract legally binds them to follow HIPAA requirements.
Encryption: Databases containing ePHI must encrypt data both at rest (stored data) and in transit (data being sent or received). AES-256 encryption is the industry standard for compliance.
Access controls: Unique user IDs, strong authentication, and role-based access limits ensure only authorized personnel can reach the data. Automatic logoff and session timeouts are also recommended.
Audit logging: Every access, query, or modification of ePHI should be logged and regularly reviewed. This is critical for detecting unauthorized activity or potential breaches.
Backups and disaster recovery: HIPAA requires data to remain available and recoverable in case of hardware failure, natural disasters, or cyber incidents. Backups must also be encrypted and stored securely.
Physical safeguards: Servers hosting databases must reside in secure facilities with restricted access, environmental controls, and continuous monitoring.

The Privacy Rule applies to all types of PHI and governs how it can be used and shared. The Security Rule applies only to ePHI and requires specific safeguards to ensure its protection. Both are essential for HIPAA compliance.

Shared hosting environments typically can’t guarantee the isolation and access controls required by HIPAA. For compliance, organizations generally need dedicated servers, private clouds, or virtual private servers (VPS) that can be configured to meet HIPAA standards.

If a provider is involved in a compliance failure and lacks proper documentation or audit readiness, both the provider and the covered entity could face investigations and penalties. It’s critical to choose a hosting partner with a proven track record and full transparency.

No. Even a suspected unauthorized access event that compromises unsecured PHI can trigger the rule’s notification requirements. Hosting providers must be equipped to detect, respond, and report incidents quickly to minimize exposure.

Next steps for putting the four HIPAA rules to work

HIPAA compliance starts with understanding the four foundational rules and how they apply to your hosting infrastructure. From data encryption to breach notification, each rule plays a critical role in protecting sensitive patient data.

If your organization deals with PHI, the next step is simple: partner with a hosting provider that not only understands HIPAA compliance but supports it at every layer of infrastructure. That’s where Liquid Web comes in.

Liquid Web is HIPAA audited by independent accounting firm UHY LLP, an internationally trusted auditor with extensive experience. We are also compliant with other relevant standards including SSAE-16 and Safe Harbor, providing assurance to companies in the healthcare industry and their business associates.f

Click through below to learn more or start a chat with one of our HIPAA-compliant hosting experts right now.

HIPAA compliant hosting solutions

Standalone servers
Private data centers
Uninterruptible power supplies

Explore solutions

Private cloud hosting solutions

Highly performant
Fully managed
Acronis disaster recovery included

Explore solutions

Additional resources

What is HIPAA-compliant hosting? →

A complete beginner’s guide

Scaling a compliant cloud →

How to scale up without compromising security

HIPAA guide for small business →

A complete resources for medical SMBs

Jerry Vasquez brings decades of leadership experience to his role as Product Manager at Liquid Web, focusing on networking and security products. When not working or sleeping, Jerry can usually be found eating and having a good conversation with good people.