What is the HIPAA Security Rule?

HIPAA contains a series of rules that covered entities (CEs) and business associates (BAs) must follow to be compliant. One of these rules is known as the HIPAA Security Rule. This rule, which applies to both CEs and BAs, is designed to safeguard the privacy of individuals’ electronic personal health information (ePHI) by dictating HIPAA security requirements.

Covered entities are defined in the HIPAA rules as (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

A BA is a vendor, hired by the CE to perform a service (such as a billing service for a healthcare provider), who comes into contact with protected health information (PHI) as part of the BA’s job.

What is PHI?

Under HIPAA, protected health information (PHI) is any piece of information in an individual’s medical record that is created, used, or disclosed during the course of diagnosis or treatment, that can be used to uniquely identify the patient.

According to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the 18 types of information that qualify as PHI include:

  1. Name
  2. Address 
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes 

The Security Rule regulates a subset of protected health information, known as electronic protected health information, or ePHI. ePHI consists of all individually identifiable health information (i.e, the 18 identifiers listed above) that is created, received, maintained, or transmitted in electronic form.

What Must Covered Entities do With Respect to ePHI?

The HIPAA security requirements dictated by the HIPAA Security Rule are as follows:

  • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit;
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against impermissible uses or disclosures of ePHI that are reasonably anticipated; and
  • Ensure compliance by their workforce.

The Security Rule contains definitions and standards that inform you what all of these HIPAA security requirements mean in plain English, and how they can be satisfied.

What Does “Confidentiality” Mean?

Under the Security Rule, confidential ePHI is that ePHI that may not be made available or disclosed to unauthorized persons.

What Does “Integrity” Mean?

Under the Security Rule, to maintain the integrity of ePHI means to not alter or destroy it in an unauthorized manner. 

What Does “Availability” Mean?

Under the Security Rule, PHI is considered to be “available” when it is accessible and usable on demand by an authorized person.

Are You Secure?

Our software simplifies security
and compliance.

Learn More!
HIPAA Seal of Compliance

What Specific HIPAA Security Requirements Does the Security Rule Dictate?

The Security Rule requires entities to analyze their security needs and implement appropriate, effective security measures in line with HIPAA security requirements. 

The Security Rule does not dictate what specific HIPAA security requirements or measures must be used by a given organization of a particular size; as such, entities have some leeway to decide what security measures will work most effectively for them. 

What the Security Rule does require is that entities, when implementing security measures, consider the following things:  

  • Their size, complexity, and capabilities;
  • Their technical hardware, and software infrastructure;
  • The costs of security measures; and
  • The likelihood and possible impact of the potential risk to ePHI.

The Security Rule also requires that covered entities don’t “sit still” – covered entities must continually review and modify their security measures to ensure ePHI is protected at all times.

What are the Three Standards of the HIPAA Security Rule?

The HIPAA Security Rule contains what are referred to as three required standards of implementation. Covered entities and BAs must comply with each of these. 

The Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. 

What are Administrative Safeguards? 

The Security Rule administrative safeguard provisions require CEs and BAs to perform a risk analysis. Performing a risk analysis helps you to determine what security measures are reasonable and appropriate