What is the HIPAA Security Rule?


Anyone who has heard of HIPAA will probably be aware of the various “HIPAA Rules” that make up the legislation. But what is the HIPAA Security Rule? The Security Standards for the Protection of Electronic Protected Health Information (shortened to the “Security Rule”), which – as its name suggests – lays out what is required by HIPAA to ensure that patient data remains private. In this article, we will discuss what steps Covered Entities (CEs) and Business Associates (BAs) need to perform to ensure that they are compliant with the Security Rule. 

The Security Rule was first introduced in 2003, in part as a follow-up to the HIPAA Privacy Rule that was published a year earlier. The HIPAA Privacy Rule defines the sort of data that is protected under HIPAA (“Protected Health Information”; PHI) and determines when it can be appropriately used and disclosed. However, the Privacy Rule does not provide any guidance on how PHI should remain confidential.

The Security Rule contains a set of administrative, technical, and physical safeguards that must be implemented by CEs and BAs. The purpose of these safeguards is to maintain the integrity and confidentiality of patient data, while also ensuring that it is accessible by patients. The CEs and BAs must also ensure that the data cannot be accidentally accessed or deleted. 

The HIPAA Security Rule administrative safeguards, include: 

  • Security Management Processes (such as risk assessments)
  • Assigning Security Personnel who oversee security policies in the workplace
  • Secure Information Access Management to ensure only authorized individuals can access ePHI
  • Comprehensive Workforce Training and Management so that all employees are aware of their duties under HIPAA
  • Regular evaluation of security policies to ensure that they are sufficient and effective

The physical safeguards include:

  • Restricting Facility Access to only authorized individuals
  • Implementing Workstation and Device Security policies to ensure that ePHI is not easily accessible. 

And finally, the technical safeguards include: 

  • Limited Access Control to PHI
  • Implementing Audit Controls so that management can know who accessed ePHI and when.
  • Using Integrity Controls that ensure that ePHI is not accidentally edited or deleted 
  • Using Transmission Security systems

 However, the Security Ryle only applies to PHI that has been created, maintained, received, or transmitted electronically (“electronic” PHI). Any PHI that is verbal or physical in nature is not actually covered by the Security Rule, but may still be protected under HIPAA or other privacy legislation. 

There is a crucial distinction made between “required” and “addressable” safeguards within the Security Rule. All safeguards labelled as “required” must be implemented as stipulated in HIPAA. Yet “addressable” does not simply mean that the safeguards can be ignored. Rather, it means that the CE or BA can be flexible in how they implement the rule. If they find a safeguard that offers equally good protection, for example, and is more appropriate to the operations of the business, they can implement that safeguard instead. This flexibility also means that the Security Rule does not need to be constantly updated in line with technological developments. 

Non-compliance is a serious issue. Violations of the HIPAA Security Rule can result in the institution of voluntary compliance policies, required by the OCR, or financial penalties. With this in mind, all CEs or BAs should ensure that their employees are trained in HIPAA.