HIPAA Security Rule

Citation[]

Department of Health and Human Services, Health Insurance Reform: Security Standards; Final Rule (HIPAA Security Rule), 45 C.F.R. Parts 160, 162 and 164 (2003) (full-text).

Overview[]

This Rule specifically focuses on safeguarding electronic protected health information (ePHI). Although FISMA applies to all federal agencies and all information types, only a subset of agencies are subject to the HIPAA Security Rule based on their functions and use of electronic protected health information (ePHI). All HIPAA covered entities, including some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of ePHI, as defined in the Security Rule.

The ePHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures that are not permitted or required under the HIPAA Privacy Rule and ensure compliance by their workforces.^[1]

In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities:

Covered Healthcare Providers — Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which the Department of Health and Human Services (DHHS) has adopted a standard.
Health Plans — Any individual or group plan that provides, or pays the cost of, medical care, including certain specifically listed governmental programs (e.g., a health insurance issuer and the Medicare and Medicaid programs).
Healthcare Clearinghouses — A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa.
Medicare Prescription Drug Card Sponsors — A nongovernmental entity that offered an endorsed discount drug program under the Medicare Modernization Act. This fourth category of “covered entity” remained in effect until the drug card program ended in 2006.

The Security Rule requires covered entities to enter into agreements with business associates who create, receive, maintain, or transmit ePHI on their behalf.^[2] A covered entity is not liable for violations by the business associate unless the covered entity knew that the business associate was engaged in a practice or pattern of activity that violated HIPAA, and the covered entity failed to take corrective action. The Centers for Medicare and Medicaid Services (CMS) has been delegated authority to enforce the HIPAA Security Rule.^[3]

The Security Rule allows covered entities to consider such factors as the cost of a particular security measure, the size of the covered entity involved, the complexity of the approach, the technical infrastructure and other security capabilities in place, and the nature and scope of potential security risks. The Security Rule establishes "standards" that covered entities must meet, accompanied by implementation specifications for each standard. The Security Rule identifies three categories of standards: administrative, physical, and technical. The table below summarizes these security safeguards.

The Security Rule, which applies only to PHI in electronic form, states that covered entities have the flexibility to use any security measures that allow them to reasonably and appropriately implement specified standards. Specifically, the rule states that in deciding what security measures are appropriate, the covered entity must take into account elements such as its size, complexity, technical infrastructure, cost of security measures, and the probability and criticality of potential risks to its PHI.

The HITECH Act set additional requirements for the Secretary of HHS and expanded and strengthened certain privacy and security requirements mandated under HIPAA and the HIPAA rules.

References[]

↑ See Department of Health and Human Services, Security 101 for Covered Entities (full-text).
↑ Under such agreements, the business associate must: implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the covered entity's electronic protected health information; ensure that its agents and subcontractors to whom it provides the information do the same; and report to the covered entity any security incident of which it becomes aware. The contract must also authorize termination if the covered entity determines that the business associate has violated a material term.
↑ HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. Part 164.302–164.318. See generally Centers for Medicare and Medicaid Services, Security Materials (full-text).

Sources[]

[1] See Department of Health and Human Services, Security 101 for Covered Entities (full-text).

[2] Under such agreements, the business associate must: implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the covered entity's electronic protected health information; ensure that its agents and subcontractors to whom it provides the information do the same; and report to the covered entity any security incident of which it becomes aware. The contract must also authorize termination if the covered entity determines that the business associate has violated a material term.

[3] HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. Part 164.302–164.318. See generally Centers for Medicare and Medicaid Services, Security Materials (full-text).

[1]

[2]

[3]