What are the 5 main components of HIPAA?

Published on : 21 Dec 2021

5 HIPAA Components

pci ssf webinar

Today, cyber-attacks and incidents of data breaches have become very common. While organizations try their best to keep up with the evolving threat landscape, it is yet not enough to ensure 100% security of critical data and assets. More so, in the healthcare industry which is a treasure trove of sensitive PHI data, healthcare organizations are increasingly becoming the soft target for hackers.

Addressing this growing concern, the Health Insurance Portability and Accountability Act (HIPAA) was introduced and enforced to protect patients’ health information against unauthorized access and data theft. So, organizations in the healthcare industry are expected to comply with HIPAA regulations and ensure the protection of PHI data while also preserving the rights of patients.

The HIPAA compliance comprises of 5 key components including the HIPAA Health Insurance Reform, HIPAA Administrative Simplification, HIPAA Tax-Related Health Provisions, Application, and Enforcement of Group Health Plan Requirements, & Revenue Offsets. Let us today learn about the 5 components a bit in detail to understand the HIPAA regulation better. 


We are conducting a webinar on “HIPAA Risk Assessment: Turn Threats into Opportunities for Stronger Compliance“.

Click To know Dates & Timings:- https://www.vistainfosec.com/upcoming-webinar/

5 main components of HIPAA

The Health Insurance Portability & Accountability Act was established and enforced for two main reasons which include facilitating health insurance coverage for workers during the interim period of their job transition and also addressing issues of fraud in health insurance and healthcare delivery. The aim is to improve the overall efficiency and access to healthcare services and health insurance in the US. The HIPAA Regulation covers 5 major areas in its act that should be considered when ensuring compliance.  Let us read to understand the major components covered in HIPAA.

1.HIPAA Health Insurance Reform

HIPAA Health Insurance Reform is about ensuring the availability of health insurance coverage to all individuals, especially for those who may have lost their jobs or during the interim period of their job transition. This section governs the availability of group and individual health insurance while also preventing any possibility of denial for coverage to individuals with a specific ailment and/or having any pre-existing condition. It also prevents the possibility of restricting lifetime coverage for individuals. 

2.HIPAA Administrative Simplification

The Administrative Simplification provision is an important part of the HIPAA regulation. It covers the standard requirements to ensure security, privacy, and processing of electronic healthcare transactions. The HHS developed and published the HIPAA rules concerning the implementation and enforcement of Administrative Simplification. These are significant HIPAA rules which include-

  • Privacy Rule – The Privacy Rule governs the use and disclosure of protected health information (PHI) 
  • Security Rule- The Security Rule includes laying out Administrative, Physical, and Technical Safeguards to ensure the protection of PHI data. 
  • Transactions and Code Set Rule- The HIPAA regulation added a new administrative simplification rule that requires all healthcare institutes to standardize healthcare transactions. 
  • Unique Identifiers Rule- As per the Unique Identifier Rule, HIPAA requires Healthcare providers have standard national numbers known as the National Provider Identifier (NPI) which is a unique identification number that identifies them on standard transactions. 
  • Enforcement & Breach Notification Rules – The HIPAA enforcement rules outline standards for the enforcement of all the Administrative Simplification Rules and the requirement to follow the notification rule in case of a breach of PHI data.  (https://www.hhs.gov/)

Adopting these standards will facilitate the efficiency and effectiveness of healthcare services in the industry. All healthcare organizations falling in the scope of HIPAA Compliance are required to comply with the standards.

3.Tax-related Health Provisions Governing Medical Savings Accounts

This section covers tax-related guidelines for healthcare services. The provision comprises updates or changes in the insurance laws. These changes include the standardization in a pre-tax medical savings account and the availability of medical savings accounts to employees covered under an employer-sponsored medical plan under a small employer or self-employed individuals.

free consulting

4.Group Health Insurance Enforcement & Application Requirements

This provision outlines health insurance reforms like provisions for individuals with pre-existing conditions and those looking for continued coverage. The provision also includes a clarification of the Consolidated Omnibus Budget Reconciliation Act (COBRA). 

5. Revenue Offset Governing Tax Deductions for Employers

This section includes provisions for company-owned life insurance like prohibiting the tax-deduction of interest on life insurance loans, company endowments, or contracts related to the company.it further repeals the financial institution rule to interest allocation rules.

This section also covers amendments to laws relating to people who gave up their US citizenship or permanent residence, the applicability of tax expiration to those who gave up their US citizenship for tax reasons and make non-citizen’s name a part of the public record through the creation of the Quarterly Publication of Individuals Who Have Chosen to Expatriate.


The rules and guidelines outlined in the HIPAA are designed for covered entities to follow and define their roles and responsibilities concerning the security of electronic health information exchange. These rules and guidelines are seen as a good practice for ensuring the security and privacy of ePHI stored and in transit. The above-mentioned 5 HIPAA components are the foundational pillars to HIPAA compliance. Based on this covered entities may build an effective privacy and security system for the e-PHI data and the IT infrastructure which is an integral part of the PHI data handling process.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.