The US Department of Health and Human Services (HHS) provides a summary of important elements of the HIPAA Security Rule. This summary offers a useful overview of the rule, which is intended to protect the privacy and security of electronic health information.
The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes a national set of security standards for protecting health information that is held or transferred in electronic format. It addresses the technical and non-technical safeguards that must be in place by covered entities to protect individuals’ electronic protected health information (e-PHI).
Who is Covered
The Security Rule applies to health plans, health care clearinghouses and to any health care provider who transmit health information in electronic form. It also applies to business associates of covered entities.
What Information is Protected
The Security Rule protects individually identifiable health information that is in electronic form.
The Security Rule requires covered entities to have reasonable and appropriate administrative, technical and physical safeguards to protect e-PHI. Covered entities must perform a risk analysis to review their security management process. They also must have administrative safeguards in place, including: a security management process; security personnel; information access management; workforce training; and evaluation. Physical safeguards such as facility access controls and workstation/device security, along with technical safeguards must be implemented.
A summary of HHS requirements for Security Rule compliance can be reviewed by clicking here.