HIPAA covers the Privacy, Security and Enforcement rules of PHI. The Privacy and Security rules contain information on how one must treat PHI (whether it’s electronic or not). The enforcement rules specify what happens if you don’t (the penalties).

There are three things that HIPAA requires:

1. Integrity of information – the medical record must be accurate
2. Confidentiality – The medical record should only be seen by those with a need to know and all uses of that data should be knowable by the individual.
3. Availability – The medical record must be available, in essence, no reasonably avoidable downtime.