# HIPAA Basics & Overview
This training module covers the fundamentals every workforce member must know before accessing any system that may touch PHI.
## What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information (PHI). As a Business Associate, we handle PHI on behalf of our customers (Covered Entities) and must comply fully.
## The three HIPAA Rules
**Privacy Rule (§ 164.500–534)** — Governs how PHI may be used and disclosed. Establishes patient rights to access and amend records. Requires a Privacy Officer.
**Security Rule (§ 164.302–318)** — Requires administrative, physical, and technical safeguards to protect ePHI (electronic PHI). Requires a Security Officer and annual risk assessment.
**Breach Notification Rule (§ 164.400–414)** — Defines what constitutes a breach and requires notification to affected individuals, HHS, and sometimes the media within strict time limits.
## Key definitions
- **PHI** — Individually identifiable health information in any form
- **ePHI** — PHI in electronic form
- **Covered Entity** — Health care provider, plan, or clearinghouse (our customers)
- **Business Associate** — Entity that performs functions involving PHI for a covered entity (us)
- **Minimum Necessary** — Use only the PHI required for the specific task at hand
## Your responsibilities
Every workforce member must:
1. Access only the minimum PHI required for their job
2. Protect devices, credentials, and data at all times
3. Report suspected incidents immediately
4. Complete required training and sign required agreements
5. Follow all company HIPAA policies
## Attestation
Completing this module confirms you understand HIPAA fundamentals and your obligations as a workforce member.