HIPAA Rules: Security Rule

The Health Insurance Portability and Accountability Act was originally passed in 1996, but the HIPAA Security Rule was added in 2005. (HIPAA). HIPAA mandated that the Secretary of the US Department of Health and Human Services (HHS) created rules for the security and privacy of specific health information.

The Security Rule applies to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Ensure that their employees comply.
  • Protect against reasonably anticipated, impermissible uses or disclosures.

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.