4 October, 2019
HIPAA Security Rule Simplified
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, required the US Department of Health and Human Services (HHS) to develop regulations for protecting the security and privacy of health information. To fulfill this requirement, HHS published rules that are commonly known as the HIPAA Security Rule and the HIPAA Privacy Rule. The HIPAA Security Rule establishes a set of security standards for protecting health information which is held or transferred in the electronic medium by the covered entities in the United States. On the other hand, the HIPAA Privacy Rule establishes nation-wide standards for the protection of health information.
In essence, the Security Rule operationalizes the standards outlined in the Privacy Rule by addressing technical as well as non-technical safeguards that have to be followed by the covered entities to secure electronically protected health information (ePHI) of individuals. The Office for Civil Rights (OCR) in the HSS is the responsible authority for enforcing the Security and Privacy rules.
Who is covered by the Security Rule?
This rule applies to health plans, health care clearinghouses, and to any health care provider and their associates who transmit health information in electronic form.
After the passing of the HITECH Act of 2009, the applicability of the Security Rule was extended to the business associates. In order to clarify these changes, HHS developed rules and regulations for implementation.
What information is protected by the HIPAA Security Rule?
The HIPAA Security Rule protects electronically protected health information (ePHI). The HIPAA Privacy Rule protects the privacy of individually identifiable information called protected health information (PHI). The HIPAA Security Rule protects a subset of the information protected by the HIPAA Rule, i.e., individually identifiable health information created, received, maintained, or transmitted in electronic form by a covered entity. For PHI transmitted either in writing or orally, the HIPAA Security Rule does not apply.
The HIPAA Security Rule requires the covered entities to maintain appropriate and reasonable safeguards – administrative, technical, as well as physical – for the protection ePHI of the individuals. The four general rules are as follows –
- A covered entity must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit;
- A covered entity must identify and protect against reasonably anticipated threats to the security or integrity of the information;
- A covered entity must protect against reasonably anticipated, impermissible uses or disclosures; and
- A covered entity must ensure compliance with its workforce.
How does a covered entity decide the security measures to be implemented?
The HHS recognizes that the size of covered entities ranges from the smallest of providers to the largest, multi-state service providers. Hence, flexibility is given to covered entities to analyze their organization-specific needs and implement solutions that are appropriate for their specific requirements. Hence, while deciding the security measures to be implemented, a covered entity should consider –
- Its size, complexity, and capabilities,
- It’s technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and the possible impact of potential risks to ePHI.
A covered entity must review, modify, and improvise their security measures to secure and protect ePHI in the ever-evolving cyberspace.