HIPAA Security Rule

The HIPAA Security Rule addresses the technical and non-technical safeguards that HIPAA covered entities must put in place to secure individuals’ PHI. The Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Prior to HIPAA, no generally accepted security standards for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on electronic information systems to pay claims, answer eligibility questions, provide health information, and conduct a host of other administrative and clinically based functions.

Today, providers are increasingly using computerized systems for electronic health records (EHR), radiology, pharmacy, and laboratory systems. Health plans are providing electronic claims and care management, as well as member self-service applications. While this may increase the mobility and efficiency of the medical workforce (that is, a doctor can review patient records and test results without having to wait for them in the mail, or driving to an office), these advanced functions create serious security risks.

FREE Annual Security Risk Assessment is Offered to All Members


A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size and organizational structure.

Who is Required to Abide by the Security Rule?

The Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with any transaction for which the HIPAA and HITECH regulations apply. Also, the HITECH Act of 2009 expanded these responsibilities beyond the covered Entity to also include the Business Associates of Covered Entities. The Omnibus Rule expands that even further by including the subcontractors of Business Associates (who are now considered business associates themselves.)

Why HIPAA Compliance Training is Important

By |October 21st, 2015|Categories: HIPAA Training|

Why HIPAA Compliance Training is Important HIPAA Compliance is an ongoing process and one of the most important aspects of it is making sure that your staff members participate in compliance training and awareness [...]

Comments Off on Why HIPAA Compliance Training is Important

HIPAA Rules: Back to the Basics

By |October 7th, 2015|Categories: HIPAA Privacy|

HIPAA Rules: Back to the Basics The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that has undergone many additions and revisions since it was signed into law in [...]

Comments Off on HIPAA Rules: Back to the Basics

HIPAA Privacy Rule: Reviewing the Fundamentals

By |October 7th, 2015|Categories: HIPAA Compliance Requirements, HIPAA Privacy, Notice of Privacy Practices|

HIPPA Privacy Rule: Reviewing the Fundamentals Almost 20 years ago, the Health Insurance Portability and Accountability Act was signed into law to provide for the continuity of individuals’ health insurance coverage and to increase [...]

Comments Off on HIPAA Privacy Rule: Reviewing the Fundamentals