The Security Rule

Last updated: November 4, 2020

Specifies what safeguards are in place that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic protected health information. (e-PHI).The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing (HHS, 2018).

Prior to HIPAA, there was no consensus on an accepted set of security standards or general requirements for protecting health information. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based tasks (HHS, 2018).

Today, providers are using digital clinical applications such as computerized order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient, the rise in the adoption rate of these technologies increases the potential security risks (HHS, 2018).

The major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The health care marketplace is diverse, and thus, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI. The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI (HHS, 2018).

The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person (HHS, 2018).

HHS recognizes that covered entities range in size. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources (HHS, 2018).

When a covered entity is deciding which security measures to use, the Rule does not dictate the measures but requires the covered entity to consider (HHS, 2018):

  • Its size, complexity, and capabilities
  • It’s technical, hardware, and software infrastructure
  • The costs of security measures
  • The likelihood and possible impact of potential risks to e-PHI

Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment

The Security Rule (HHS, 2018), requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
  3. Protect against reasonably anticipated, impermissible uses or disclosures
  4. Ensure compliance by their workforce.