This is a question many doctors, physicians, chiropractors and dentists ask. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 outlines several “Rules” that covered entities must  abide by to remain legal and compliant, one of which is the Security Rule. Due to the generalized wording used in the Security Rule, many covered entities are left scratching their heads in regards to written forms of communication and whether or not it's covered under this Rule.

Before we answer this question, let's first go over the basics of the HIPAA Security Rule. According to the U.S. Department of Health and Human Services (HHS), the Security Rule is a set of national standards used to protect electronic health information that is created, received, used and/or maintained by covered entities. “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity,” wrote the HHS. You can read the HIPAA Rule in its entirely by visiting, but that's the basic gist of it.

Based on this definition alone, it's safe to assume that the HIPAA Security Rule does not affect written information. As you can see from the statement above, the HHS defines the Security Rule as being a set of national standards which protect electronic personal health information (also known as ePHI). This differs from protected health information (PHI), which is governed by the Administrative and Privacy Rules.

So, to answer the question above, the HIPAA Security Rule does not apply to written forms of communication. Whether it's a sticky note, printed document, or piece of paper, all written health information is not covered by the HIPPA Security Rule. The standards described in the Security Rule are specific to ePHI. With that said, however, certain types of electronic communications that are often overlooked are in fact covered by the Security Rule, such as telephone voice answering machines and fax back systems (note: paper fax and teleconferencing messages are not considered ePHI since the information was not in electronic form before it was sent).

Furthermore, the HIPPA Security Rule does not apply to oral communications either. Trying to understand the nuances between the different HIPAA Rules and what exactly they govern can be confusing. Once you learn the basics, though, you'll have an easier time of keeping your practice compliant and your patients' data secure.

Subscribe to our mailing list

* indicates required