This is a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information. Because it is an overview of the Security Rule, it does not address every detail of each provision. Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and
clinically based functions. Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they
are), the rise in the adoption rate of these technologies increases the potential security risks. A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that
are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI. This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. To make it easier to review the complete requirements of the Security
Rule, provisions of the Rule referenced in this summary are cited in the end notes. Visit our Security Rule section to view the entire Rule, and for additional helpful information about how the Rule applies. In the event of a conflict between
this summary and the Rule, the Rule governs. HIPAA called on the Secretary to issue security
regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003.2 The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to
use to assure the confidentiality, integrity, and availability of e-PHI. The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C. Read more about covered entities in
the Summary of the HIPAA Privacy Rule - PDF. See additional guidance on business associates. Specifically, covered entities must: The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper
uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.5 HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources. Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:
Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.7 Risk Analysis and Management
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Required and Addressable Implementation Specifications
Organizational Requirements
Policies and Procedures and Documentation Requirements
State Law
Enforcement and Penalties for Noncompliance
Compliance Dates
Copies of the Rule and Related Materials
End Notes [1]Pub. L. 104-191. [2] 68 FR 8334. [3] 45 C.F.R. § 160.103. [4] 45 C.F.R. § 164.306(a). [5] 45 C.F.R. § 164.304. [6] 45 C.F.R. § 164.306(b)(2). [7] 45 C.F.R. § 164.306(e). [8] 45 C.F.R. § 164.306(b)(iv). [9] 45 C.F.R. § 164.308(a)(1)(ii)(B). [10] 45 C.F.R. § 164.306(d)(3)(ii)(B)(1); 45 C.F.R. § 164.316(b)(1). [11] 45 C.F.R. § 164.306(e). [12] 45 C.F.R. § 164.308(a)(1)(ii)(D). [13] 45 C.F.R. § 164.306(e); 45 C.F.R. § 164.308(a)(8). [14] 45 C.F.R. § 164.306(b)(2)(iv); 45 C.F.R. § 164.306(e). [15] 45 C.F.R. § 164.308(a)(2). [16] 45 C.F.R. § 164.308(a)(4)(i). [17] 45 C.F.R. § 164.308(a)(3) & (4). [18] 45 C.F.R. § 164.308(a)(5)(i). [19] 45 C.F.R. § 164..308(a)(1)(ii)(C). [20] 45 C.F.R. § 164.308(a)(8). [21] 45 C.F.R. § 164.310(a). [22] 45 C.F.R. §§ 164.310(b) & (c). [23] 45 C.F.R. § 164.310(d). [24] 45 C.F.R. § 164.312(a). [25] 45 C.F.R. § 164.312(b). [26] 45 C.F.R. § 164.312(c). [27] 45 C.F.R. § 164.312(e). [28] 45 C.F.R. § 164.306(d). [29] 45 C.F.R. § 164.314(a)(1). [30] 45 C.F.R. § 164.316. [31] 45 C.F.R. § 164.316(b)(2)(iii). [32] 45 C.F.R. § 160.203. [33] 45 C.F.R. § 160.202. Content created by Office for Civil Rights (OCR) What are the key elements of the HIPAA security Rule?General Rules
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and.
What are the 3 types of safeguards required by HIPAA's security Rule?The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
What are the two types of implementation specifications of the HIPAA security Rule?Under the HIPAA Security Rule, implementation of standards is required, and implementation specifications are categorized as either "required" (R) or "addressable" (A). For required specifications, covered entities must implement the specifications as defined in the Security Rule.
What factors must be considered to determine if a document is protected health information under HIPAA?The Privacy Rule calls this information "protected health information (PHI)." “Individually identifiable health information” is information, including demographic data, that relates to: the individual's past, present or future physical or mental health or condition, the provision of health care to the individual, or.
|