Not only was the Health Insurance Portability and Accountability Act (HIPAA) enacted to protect more workers and their families by limiting exclusion of coverage for preexisting conditions, but it also was made to protect the security and privacy of patient health information.

Learn More about the HIPAA Security Rule

The Security Rule, a provision to HIPAA, was made to ensure the integrity, availability, and confidentiality of electronic patient health information (EPHI). This provision is distinct from the Privacy Rule, which regulates the disclosure of patient health information (PHI). The Security Rule only deals with information contained in e-mails or other electronic transmissions.

Regulations on Covered Entities

Covered Entities include health care providers that conduct health care transactions electronically, health plans, and health care clearinghouses. Doctors, nurses, and health care providers are not the only entities that must comply with the HIPAA Security Rule. Employers who sponsor health plans for their employees must also abide by the Security Rule.

The Security Rule however, does not apply to entities that do not submit information electronically.

Safeguards and Compliance

There are three types of security safeguards necessary for compliance with the Security Rule: administrative, physical, and technical. For each of these three types, there are security standards set forth for implementation.

  • Administrative Safeguards. The administrative safeguards deal with the administrative functions within a covered entity that must be in place to comply with the Security Rule. Some of these include: adopting a written set of privacy procedures, designating privacy officers, initiating an ongoing training program for employees who will be handling EPHI, and responding to security breaches.

  • Physical Safeguards. The physical safeguards are those that pertain to the measure that should be taken to control physical access to EPHI. Some of these include: monitoring access to equipment containing health information, authorizing only certain individuals access to software and hardware, and training any contractors and agents on their physical access limitations.

  • Technical Safeguards. The technical safeguards address the technical measures that must be set in place to protect data and access to data. Some of these include: making documentation of HIPAA practices available to the government, implementing risk analysis and risk management programs, and ensuring data has not been erased in an unauthorized manner.

Having these three safeguards in place will ensure the protection of EPHI against any mishandling, improper use, or security breaches.

Although it seems that implementing new procedures may be a daunting task, it is critical to be in compliance with the Security Rule in order run a smooth operating practice.