HIPAA Security Rules & Policies

Security Rule

• The Security Rule focuses solely on the protection of "electronic protected health information," known as e-PHI, which is an important consideration, as more health care providers transition to electronic systems. The HHS website states that a major goal of the Security Rule is to "protect the privacy of individuals' health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care." Entities covered under the security rule are any health care providers, plans or clearinghouses that transmit health care information electronically.

General Rules and Policies

• The HHS website specifies that entities covered under the Security Rule are required to implement and maintain "reasonable and appropriate administrative, technical and physical safeguards" for the protection of e-PHI. This means that entities must be able to ensure the integrity, availability and confidentiality of any e-PHI for which they are responsible. Also, entities must protect e-PHI by identifying and taking measures to protect against "impermissible use of disclosure" of information, as well as potential threats to the security or integrity of the information. Ensuring the education and compliance of all employees with access to e-PHI is an important consideration. Compliance measures should be documented, assessed and updated regularly due to changes in technology and health care practice.

Who Enforces?

• According to the HHS website, the Office of Civil Rights is responsible for enforcing the Security Rule through "voluntary compliance activities and civil money penalties." The OCR may conduct investigations of covered entities to ensure compliance.