Jump to main content

Summary of HIPAA Security Rule

The Security Standard for the Protection of Electronic Protected Health Information, or the Security Rule, establish a national set of security standards for confidentiality, integrity, and availability of certain health information that is held or transferred in electronic form. These records are referred to as "electronic protected health information" or e-PHI.

A major goal of the Security Rule is to protect the privacy of individual's health information while allowing entities to adopt new technologies to improve the quality and efficiency of patient care. The Department of Health and Human Services, Office for Civil Rights is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews.

This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Go to Office of Information Security for additional information and resources.

  • Who is Covered by the Security Rule?

    The Security Rule applies to:

    •  Health plans
    •  Health care clearinghouses
    • Any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA
    • Business Associates of Covered Entities
    • Hybrid Entities
  • What information is Protected?
    • Electronic Protected Health Information - The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called PHI. the Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information "electronic protected health information" or e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing. This information is covered by the Privacy Rule.
  • General Rules
    • The Security Rule requires Hybrid Entities to maintain a reasonable and appropriate administrative, technical and physical safeguards for protecting e-PHI. Specifically, Hybrid Entities must:
    1. Ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transmit
    2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
    3. Protect against reasonably anticipated, impermissible uses or disclosures
    4. Ensure compliance by their workforce
  • How does the Security Rule define "Confidentiality"?

    The Security Rule defines confidentiality to mean that e-PHI is not available or disclosed to unauthorized persons. Under the Security Rule, "integrity" means that e-PHI is not altered or destroyed in an unauthorized manner. "Availabilty" means that e-PHI is accessible and usable on demand by an authorized person.

  •  Risk Analysis and Management

     The Security Rule requires entities to perform risk analysis as part of their security management processes. A risk analysis process includes, but is not limited to, the following activities:

    • Evaluate the likelihood and impact of potential risks to e-PHI
    • Implement appropriate security measures to address the risks identified in the risk analysis
    • Document the chosen security measures and , where required, the rational for adopting those measures
    • Maintain continuous, reasonable, and appropriate security protections

    Risk Analysis should be an ongoing process, in which Hybrid Entities regularly review its records to track access to e-PHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place, and regularly re-evaluate potential risks.

  • Administrative Safeguards
    • Security Management Process - A covered entity must identify and analyze potential risks and  must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level
    • Security Personnel - A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures
    • Information Access Management - The Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access)
    • Workforce Training and Management- A Hybrid entity must provide appropriate authorization and supervision of workforce members who work with e-PHI. A Covered entity must train all workforce members regarding its security policies and procedures and must have and apply sanctions against workforce members who violate its policies
    • Evaluation - A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule
  • Physical Safeguards
    •  Facility Access and Control - A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed
    • Workstation and Device Security - An entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of e-PHI
  • Technical Safeguards
    •  Access Control - A covered entity must implement technical policies and procedures that allow ONLY authorized persons to access e-PHI
    • Audit Controls - An entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI
    • Integrity Control - A covered entity must ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed
    • Transmission Security - An entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network