The Health Insurance Portability and Accountability Act of 1996 is designed to protect the data and information of healthcare patients. To achieve this goal, it defines several Rules which covered entities are legally required to follow, including the Privacy and Security Rule. While many doctors and healthcare practitioners may assume these Rules refer to the same thing, there are some major differences between the two that shouldn't go unnoticed.
You can read more about HIPAA Rules by checking out some of our previous blog posts, but the Privacy Rule is basically a set of standards that, among other things, are implemented by entities and businesses associated who may have access to Protected Health Information (PHI), whereas the Security Rule is a set of standards to ensure that only authorized personnel have access to Electronic Protected Health Information (EPHI).
Electronic, Paper and Oral PHI
Protect Health Information (PHI) can be broken down into one of three different categories: electronic (e.g. emails and digital documents), paper (e.g. paper files or printed sheets), and oral (e.g. spoken by a doctor or nurse). One of the key differences between the HIPAA Security and Privacy Rule lies in the type of PHI being used. The Privacy Rule applies to all forms of PHI (electronic, paper and oral), but the Security Rule applies ONLY to the EPHI.
If a covered entity access or otherwise handles protected health information in oral and/or paper form, it's not required to follow the Security Rule – at least not when the PHI remains in these forms. But if the PHI is altered or transitioned to electronic format, the entity must abide by the HIPAA Security Rule.
Both the HIPAA Privacy and Security Rule outline measures and safeguards that covered entities must take to prevent unauthorized access or use or PHI. However, the measures outlined in the Security Rule are “far more comprehensive,” as noted by the Department of Health and Human Services (HHS).
The Privacy Rule specifies safeguards such as (c)(2), which states that “A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.” The Security Rule, on the other hand, is more detailed and less generalized, stating specific procedures covered entities are required to make.