Originally singed into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) contains a set of Rules that healthcare providers and other covered entities must follow to protect the privacy of patients. One such Rule is the Security Rule, which essentially compliments the existing Privacy Rule. The key difference between the two, however, is that the HIPAA Privacy Rule covers all forms of Protected Health Information (PHI), whereas the Security Rule pertains strictly to Electronic Protected Health Information (EPHI).

The first step towards understanding the HIPAA Security Rule is to familiarize yourself with the different safeguards it entitles. When the Security Rile was issued on February 20, 2003 (note: it didn't take effect until April 21st of that same year), it laid out three specific types of safeguards that covered entities must implement in order to remain compliant with this new law.

One of the three safeguards described in the HIPAA Security Rule is Administrative. Administrative safeguards consist of policies and procedures that are intended to show exactly how the covered entity  will comply with HIPAA. Such privacy policies must reference management oversight and organizational buy-in; address access, authorization, modification and termination; describe the way in which workers are trained on the handling of EPHI; establish a contingency plan for responding to emergencies; and offer instructions on how to respond to security breaches.

Another safeguard described in the HIPAA Security Rule is Technical. As the name suggests, technical safeguards consist of access control systems that are designed to prevent the unauthorized use and/or disclosure of EPHI. Examples of technical safeguards include the data encryption, firewalls, remote data wipe programs, virus scanners,  and data corroboration (e.g. check sum, message authentication, digital signatures).

The third and final type of safeguard described in the HIPAA Security Rule is Physical. Physical safeguards are much like the aforementioned technical safeguards, as they are both designed to protect EPH from unauthorized use and disclosure. However, physical safeguards live up their namesake of being physical/tangible. Such safeguards may consist of locked doors, locked file cabinets, privacy screen protectors, etc.

Hopefully, this will give you a better understanding of the HIPAA Security Rule and its respective safeguards. While the Physical, Technical and Administrative safeguards are all designed to protect patients' privacy, they have subtle nuances that shouldn't go unnoticed.

Subscribe to our mailing list

* indicates required