What is the HIPAA Security Rule?

HIPAA contains a series of rules that covered entities (CEs) and business associates (BAs) must follow to be compliant. One of these rules is known as the HIPAA Security Rule. This rule, which applies to both CEs and BAs, is designed to safeguard the privacy of individuals’ electronic personal health information (ePHI).

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

A BA is a vendor, hired by the CE to perform a service (such as a billing service for a health care provider), who comes into contact with protected health information (PHI) as part of the BA’s job.

What is PHI?

Under HIPAA, protected health information (PHI) is any piece of information in an individual’s medical record that is created, used, or disclosed during the course of diagnosis or treatment, that can be used to uniquely identify the patient.

According to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the 18 types of information that qualify as PHI include:

  1. Name
  2. Address 
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes 

The Security Rule regulates a subset of Protected Health Information, known as Electronic Protected Health Information, or ePHI. ePHI consists of all individually identifiable health information (i.e, the 18 identifiers listed above) that is created, received, maintained, or transmitted in electronic form. 

What Must Covered Entities do With Respect to ePHI?

The HIPAA Security Rule requires covered entities to:

  • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit;
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against impermissible uses or disclosures of ePHI that are reasonably anticipated; and
  • Ensure compliance by their workforce. 

The Security Rule contains definitions and standards that inform you what all of these requirements mean in plain English, and how they can be satisfied. 

What Does “Confidentiality” Mean?

Under the Security Rule, confidential ePHI is that ePHI that may not be made available or disclosed to unauthorized persons.

What Does “Integrity” Mean?

Under the Security Rule, to maintain the integrity of ePHI means to not alter or destroy it in an unauthorized manner. 

What Does “Availability” Mean?

Under the Security Rule, PHI is considered to be  “available” when it is accessible and usable on demand by an authorized person.

What Specific Security Measures Does the Security Rule Require?

The Security Rule requires entities to analyze their security needs and implement appropriate, effective security measures. 

The Security Rule does not dictate what specific security measure or measures must be used by a given organization of a particular size; as such, entities have some leeway to decide what security measures will work most effectively for them. 

What the Security Rule does require is that entities, when implementing security measures, consider the following things:  

  • Their size, complexity, and capabilities;
  • Their technical hardware, and software infrastructure;
  • The costs of security measures; and
  • The likelihood and possible impact of the potential risk to ePHI.

The Security Rule also requires that covered entities don’t “sit still” – covered entities must continually review and modify their security measures to ensure ePHI is protected at all times.

What are the Three Standards of the HIPAA Security Rule?

The HIPAA Security Rule contains what are referred to as three required standards of implementation. Covered entities and BAs must comply with each of these. 

The Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. 

What are Administrative Safeguards? 

The Security Rule administrative safeguard provisions require CEs and BAs to perform a risk analysis. Performing a risk analysis helps you to determine what security measures are reasonable and appropriate for your organization. 

A risk analysis process includes the following activities:

  • Evaluating the likelihood and impact of potential risks to ePHI;
  • Implementing appropriate security measures to address the risks identified in the risk analysis;
  • Documenting the chosen security measures and, where required, the rationale for adopting those measures; and
  • Maintaining continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process.   

What Are Physical Safeguards?

Physical safeguards protect the physical security of your offices where ePHI may be stored or maintained. Common examples of physical safeguards include:

  • Alarm systems;
  • Security systems; and 
  • Locking areas where ePHI is stored.

Physical safeguard control and security measures must include:

  • Facility Access and Control Measures:  Covered entities and business associates must limit physical access to facilities, while allowing authorized access to ePHI. 
  • Workstation and Device Security: Covered entities and business associates must: 
    • Implement policies and procedures to specify proper use of and access to workstations and electronic media. 
    • Have policies and procedures for the transfer, removal, disposal, and re-use of electronic media.  

What are Technical Safeguards?

Technical safeguards include measures – including firewalls, encryption, and data back-up – to implement to keep ePHI secure. These safeguards consist of the following: 

  • Access Controls: Implementing technical policies and procedures that allow only authorized persons to access ePHI.
  • Audit Controls: Implementing hardware, software, and/or procedural mechanisms to record and examine access in information systems that contain or use ePHI. 
  • Integrity Controls: Implementing policies and procedures to ensure that ePHI has not been, and will not be, improperly altered or destroyed. 
  • Transmission Security: Implement technical security measures that guard against unauthorized access to ePHI that is transmitted over an electronic network. 

HIPAA Resources

HIPAA Security Rule

Need assistance with HIPAA compliance and understanding the HIPAA security rule? Compliancy Group can help! We help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!