"Guarding PHI: HIPAA’s Framework, Flaws, and Future"
_______________________________
By: Srishti Mulgund
Tennessee
_______________________________

*Photo credits via Canva Education
_______________________________
Introduction:
Protected Health Information (PHI) is valuable information that can clearly identify an
individual based on their past, current, and future health records [1]. PHI covers sensitive data
such as names, addresses, contact information, and biometric identifiers. If there were laws that
failed to safeguard this information, individuals could lose critical privacy rights allowing
perpetrators to get away without consequences. The need for a policy to address these issues led to the development of HIPAA. HIPAA, also known as The Health Insurance Portability and
Accountability Act, is a federal law enacted in 1996 that is primarily used to safeguard patients’ privacy and reliably secure health records [2]. HIPAA sets strict rules of managing, sharing, and storing protected health information. In this essay, we will explore HIPAA’s framework, elements, and the core rights it seeks to protect. Then, we’ll examine the multiple advantages of this law along with setbacks it provides before looking at the various actions’ policymakers can take to improve HIPAA.
HIPAA’s Framework and Core Rights:
Enacted in 1996, HIPAA’s main purpose was to safeguard patient privacy and protect
health information. This law was implemented and managed by the U.S. Department of Health
and Human Services (HHS) to ensure that covered entities and business associates are guarding
PHI [2]. The framework is built around three core rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.
The Privacy rule defines and limits how an individual's PHI can be used and disclosed. It
establishes national standards to protect individuals ' medical records and requires covered
entities to get patient authorization and be provided only the necessary amount of information
that needs to be shared. Patients also have the right to access and obtain copies of their records.
[3]. Limited exceptions include allow PHI to be disclosed without authorization for specific
public interest situations, such as imminent health or safety threats to public-health or law
enforcement.
The Security Rule dictates the how organizations must protect electronic/digital PHI.
This includes encryption, access controls, and security audits. Covered entities must implement
three safeguard categories (administrative, physical, and technical) to ensure the confidentiality,
integrity, and availability of all the ePHI they create, receive, maintain, or transmit [4]. The
administrative safeguards this rule utilizes is policies and procedures to manage security
implementations, including routine security risk assessments, and workforce training. Some of
the physical safeguards include access controls to facilities and electronic equipment, including
workstation security rules and movement of hardware and electronic media. Finally, the technical
safeguards contain technological measures to protect and control access to ePHI, such as audit
controls and transmission security. Under this rule, entities have the flexibility to scale these
measures based on factors such as size and capability. However, these organizations are required
by law to document compliance such as risk assessment and policies for a minimum of six years
[4]. The Breach Notification Rule requires organizations to notify affected individuals, HHS,
and in some cases the media within 60 days of discovering a breach involving unsecured PHI
[3]. Breaches affecting 500 or more individuals require immediate reporting to HHS and local
media, while smaller breaches may be logged and reported annually. [5]. This notification rule
only applies to unsecured PHI. If the PHI has been encrypted and is compliant with National
Institute of Standards and Technology (NIST) guidelines, it is rendered unreadable and a breach
notification is not required.
Another update enacted in 2013, the HIPAA Omnibus Rule, helped modernize healthcare
privacy by making business associates and their subcontractors directly liable for safeguarding
PHI. It expanded patient access rights and restricted the marketing and sale of health data [6].
Under this framework, patients hold various core rights regarding their personal health
information. These rights include having the right to view and get copies of medical and billing
records, request corrections to inaccurate/incomplete records, request limits on how health info is
used or disclosed, and the right to file a complaint to report privacy violations to providers or the
HHS.
Advantages of HIPPA:
There are a multitude of advantages related to HIPAA such as ensuring patient privacy,
standardizing medical billing, and mandating data security in healthcare. HIPAA gives patients
control over their medical records and prevents data breaches helping build crucial trust between
patients and healthcare providers. For example, if a patient reviews their medical history and
notices an error, they can file a formal request to get it changed. This gives them direct oversight
into their medical history. HIPAA also safeguards sensitive PHI by requiring encryption,
controls, and secure communication methods. This prevents unauthorized access and minimizes
the risk of data breaches. Patients will feel empowered since they have the rights to access,
review, and amend their medical records promoting transparency in the healthcare system [7].
By increasing feelings of integrity, HIPAA allows healthcare officials to share and access
necessary information securely. This ensures accurate medical history and treatment decisions
[7]. Additionally, HIPAA establishes national standards for electronic healthcare, such as medical
billing and insurance claims. This reduces administrative errors, speeds up processing, and
improves operational efficiency. Organizations that comply with these HIPAA laws can portray a
trustworthy image to patients and partners. This can increase client loyalty and open up business
opportunities. All of these are strong demonstrations of what advantages HIPAA can bring to the
table.
Limitations of HIPPA:
Even though HIPPA provides essential protection for patient medical records and has a
multitude of advantages, HIPAA also has its share of challenges. Some of these drawbacks
include high compliance costs, administrative burdens, restricted information sharing, and gaps
covering modern digital health technologies [8]. First, there are various administrative and
financial burdens associated with HIPAA. A high implementation cost is required, where
healthcare organizations are needed to invest heavily in specialized training, compliance officers,
and diverting valuable resources away from direct patient care. Strict rules mandate having
various forms of detailed documentation which significantly increases administrative paperwork.
Moreover, barriers to care and innovation such as restricted information sharing can
hinder developments and take lengthy amounts of time. Fear of legal penalties can cause
providers to be overly cautious, occasionally delaying care coordination or the transfer of patient
records between different healthcare facilities. Strict compliance to HIPAA protocols can also
discourage digital innovation to deploy new healthcare technologies [9]. Similarly, strict
verification processes and restrictive data sharing can cause frustrating delays for patients trying
to access their own medical records or share that information with trusted healthcare
professionals. While these disadvantages are present, policymakers have come up with strong
amendments and reasonable changes to improve the law to the best of their ability.
Future Directions and Conclusion:
To combat the setbacks discussed, policymakers and federal agencies are actively
updating healthcare frameworks. Future directions are focused on simplifying patient data access
and modernizing security rules to cover the risks associated with new digital health technologies.
Overseen by the HHS, regulations are transitioning from basic education to active oversight to
stop providers and vendors from interfering with the seamless transfer of electronic health
information. Additionally, to address the growing risks of digital health apps and AI there have
been propositions designed to improve the Security Rule away from flexible guidelines to
specific, enforceable cybersecurity and continuous monitoring requirements [10]. Furthermore,
amendments to the HIPAA laws do not cover consumer-facing health apps, wearables, and
genetic databases which legislation is continuously stepping in to regulate and improve.
Essentially, HIPAA provides a vital foundation for protecting patient privacy and
safeguarding sensitive health data. While legislation may struggle to keep up with the setbacks
the modern digital age brings and data sharing restrictions. It establishes clear guidelines for
healthcare professionals to abide by and gives patient crucial rights. With meaningful
improvements, this law will hopefully evolve to protect patient rights and improve the
environment of medical safety and patient health.
Bibliography:
1. Isola, S., & Al Khalili, Y. (2023, January 30). Protected Health Information. PubMed;
StatPearls Publishing. https://www.ncbi.nlm.nih.gov/books/NBK553131/
2. Edemekong, P., Haydel, M., & Annamaraju, P. (2024). Health Insurance Portability and
Accountability Act (HIPAA). National Library of Medicine.
https://www.ncbi.nlm.nih.gov/books/NBK500019/
3. Ramirez, F. (2025, June 3). What Does HIPAA Mean? Hosting & Cloud Solutions -
HIPAA Compliant - HIPAA Vault; Hosting & Cloud Solutions - HIPAA Compliant -
HIPAA Vault. https://www.hipaavault.com/resources/what-does-hipaa-mean/
4. U.S. Department of Health and Human Services. (2024). Summary of the HIPAA Security
Rule. U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-
professionals/security/laws-regulations/index.html
5. Bricker Graydon Wyatt LLP. (2026). BrickerGraydon.
https://www.bricker.com/insights/resources/key/hipaa-regulations-notification-in-the-
case-of-breach-notification-to-the-secretary-of-hhs-164-408
6. Drata. (2026, March 4). What is the HIPAA Omnibus Rule? History and Requirements.
Drata.Com; Drata. https://drata.com/learn/hipaa/omnibus-rule
7. Abhinaw. (2024, October 2). HIPAA Compliance: 10 Benefits for Healthcare
Professionals. HIPAA University -. https://hipaauniversity.com/blog/benefits-of-hipaa-
compliance/
8. Disadvantages of HIPAA - HIPAA Guide. (2023, April 28). The HIPAA Guide.
https://www.hipaaguide.net/disadvantages-of-hipaa/
9. Weishaupt, J. (2025, September 11). Pros and cons of HIPAA: key benefits and hidden
drawbacks. Jotform. https://www.jotform.com/blog/pros-and-cons-of-hipaa/
10. Office for Civil Rights (OCR). (2018, December 12). HIPAA Privacy Rule and Care
Coordination. HHS.Gov. https://www.hhs.gov/hipaa/for-professionals/regulatory-
initiatives/index.html