The Security Standards for the Protection of Electronic Protected Health Information, also known as the Security Rule, sets forth a national set of security standards to protect certain health information that is held or transferred in electronic form. 

The Security Rule addresses the technical and non-technical safeguards contained in the Privacy Rule that covered entities must put in place to secure individual electronic protected health information (e-PHI). Within the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules with compliance activities and civil monetary penalties.

Prior to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, there weren’t any universally accepted security standards or requirements in place to protect health information in the health care industry. As new technologies were evolving, the health care industry started replacing paper processes with electronic information systems to pay claims, answer eligibility questions, share health information and handle other routine administrative and clinical functions.

Today, health care providers use clinical applications, such as electronic health records, computerized physician order entry systems, and similar systems for radiology, pharmacies, and laboratories. Health plans are providing access to claims, care management, and patient self-service applications. Although this facilitates medical workforce mobility and efficiency, these technologies increase the potential security risks.

The Security Rule applies to health plans, health care clearinghouses and health care providers transmitting any health information covered by HIPAA electronically as well as their business associates.  For additional information and guidance, see the HHS Summary of the HIPAA Security Rule

The HITECH Act of 2009 expanded the responsibilities of business associates under the HIPAA Security Rule. The HHS developed these regulations to implement and clarify these changes.

The Security Rule protects a portion of the information covered by the Privacy Rule. That portion is all individually identifiable health information created, received, maintained or transmitted in electronic form by any covered entity. The Security Rule does not apply to PHI transmitted orally or in writing.

The Security Rule helps protect the privacy of individuals’ health information while allowing covered entities to improve the quality and efficiency of patient care with technology. The rule was designed to be flexible and scalable, allowing covered entities to implement policies, procedures, and technologies based on their size, organizational structure, and risks to e-PHI. So, it’s important that covered entities carefully consider the impact when deciding which security measures to use to protect e-PHI. And, covered entities must continually review and modify their security measures in an ever-changing environment.

The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. Risk analysis should be an ongoing process where a covered entity routinely reviews its records to track the access of e-PHI and detect security incidents. They should also periodically evaluate the effectiveness of its security measures and perform a risk assessment to reevaluate potential risks to e-PHI.

The Security Rule requires covered entities to maintain administrative, technical and physical safeguards to protect e-PHI.  Specifically, covered entities must:

  1. Ensure the confidentiality*, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce.

*The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons.

The administrative safeguards include:

  • Security Management Process
  • Security Personnel
  • Information Access Management
  • Workforce Training and Management
  • Evaluation

The technical safeguards include:

  • Access Controls
  • Audit Controls
  • Integrity Controls
  • Transmission Security

The physical safeguards include:

  • Facility Access and Control
  • Workstation and Device Security

Covered entities are required to adhere to the safeguards specified under the Security Rule, but certain implementation specifications within the standards are categorized as addressable while others are required. Implementation specifications that are required must be implemented and those that are designated as addressable are left to each covered entity to determine whether they are reasonable and appropriate for them. Otherwise, the covered entity may adopt an alternative measure to achieve the same end result.

HIPAA compliance under the Security Rule is a bit different for each covered entity due to its flexible and scalable nature. While this rule doesn’t designate specific types of security technology, encryption is one of the best practices recommended. This is because many HIPAA data breaches have involved the theft and loss of unencrypted devices. 

Plus, an increasing number of security incidents are resulting from cyberattacks. Encrypting protected data makes it unusable by unauthorized parties, regardless of the cause of the incident. In fact, encrypted data that is lost or stolen is not considered a data breach and does not need to be reported under HIPAA.

The increasing use of cloud services for data storage means that covered entities should seek third-party cloud security solutions that handle e-PHI routinely. And, covered entities should be sure to require security solution providers sign a business associate agreement to remain HIPAA compliant.