The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was established to provide federal protections for United States citizens’ individual health data. It is designed to safeguard electronic Protected Health Information (ePHI) created, received, maintained, or transmitted by covered entities.
The regulation requires entities to enforce administrative, physical, and technical protections to maintain the accessibility, privacy, and accuracy ePHI. According to the HIPAA security rule:
- Confidentiality means that ePHI is not made available or disclosed to unauthorized persons.
- Integrity refers to the protection of ePHI from unauthorized alteration or destruction.
- Availability ensures that ePHI is accessible and usable on demand by an authorized person.
To adhere to the HIPAA Security Rule, covered entities must assess their security risks and implement measures to mitigate these risks, thereby protecting patients’ sensitive health information from breaches and unauthorized disclosures.
Quick reference for key HIPAA terms
- Protected Health Information (PHI)
Information contained in medical records or other health-related documentation capable of identifying an individual and that was generated, utilized, or revealed while delivering a healthcare service, including diagnosis or treatment. - Electronic Protected Health Information (ePHI)
ePHI is any protected health information created, stored, transmitted, or received electronically. The HIPAA Security Rule specifically focuses on protecting ePHI. - Covered entities
Covered entities consist of individuals or organizations that electronically transmit health information (e.g., health plans, health care clearinghouses, and health care providers). - Business associates
Business associates are individuals or organizations engaged in specific tasks or operations involving the handling or revealing of PHI for or offering services to a covered entity (e.g., billing firms, external consultants, IT service providers, and vendors of electronic health records).
A brief history of the HIPAA Security Rule
| 1996 | The 104th United States Congress enacted HIPPA, and President Bill Clinton signed it into law. |
| 2000 | The Department of Health and Human Services (HHS) instituted the HIPAA Privacy Rule to create norms for safeguarding individuals’ medical records and personal health data. |
| 2002 | HHS instituted the HIPAA Security Rule, which focused on ensuring the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). |
| 2003 | The HIPAA Privacy Rule went into effect for most organizations, with a one-year extension for small health plans. |
| 2005 | The HIPAA Security rule went into effect for covered entities. |
| 2009 | The Health Information Technology for Economic and Clinical Health (HITECH) Act broadened the privacy and security measures stipulated by HIPAA, escalated the sanctions for non-adherence, and introduced stricter enforcement mechanisms. |
HIPAA Security Rule resources
Several agencies offer tools and resources to facilitate compliance with the HIPAA Security Rule, such as the HIPAA Security Risk Assessment Tool and Guidance on Risk Analysis. Using these tools is an important step for covered entities and business associates to enable compliance with HIPAA regulations.
HIPAA Security Risk Assessment Tool
The HIPAA Security Risk Assessment (SRA) Tool is a downloadable resource created by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to help covered entities and business associates understand and implement the requirements of the HIPAA Security Rule. The SRA Tool is designed to be user-friendly and accessible to small and medium-sized healthcare providers.
Key features of the HIPAA SRA Tool:
- Step-by-step guided assessment—guides users through each aspect of a security risk assessment, covering administrative, physical, and technical safeguards as well as the identification of potential threats and vulnerabilities.
- Customizable questionnaire—allows organizations to tailor the assessment to their unique requirements and consider their size, complexity, and capabilities.
- Educational resources—provides explanations, examples, and references to relevant sections of the HIPAA Security Rule to help users better understand the requirements.
- Risk calculation and documentation—helps calculate potential risks and vulnerabilities to ePHI and assists in documenting the measures that are in place or need to be implemented to mitigate these risks.
- Report generation—generated a report that outlines the organization’s compliance efforts with the HIPAA Security Rule that can be used for internal purposes or provided during audits.
Guidance on Risk Analysis
The U.S. Department of Health and Human Services releases regular advisories on the HIPAA Security Rule’s stipulations. These guidance documents are designed to help entities recognize and apply the most suitable and effective safeguards to ensure the security, privacy, and integrity of electronic protected health information. These resources are subject to annual revisions to remain current and relevant.
HIPAA Security Rule summary
The HIPAA Security Rule is focused on ePHI. A core element of it is the requirement for covered entities to perform a risk analysis and implement security measures sufficient to reduce these risks to a reasonable and appropriate level.
Unlike other rules, the HIPAA Security Rule is flexible and allows an organization to tailor its compliance approach according to its size, structure, and operations, and the nature of its ePHI.
This means there is no single mandatory way to achieve compliance, but the safeguards specified must be applied effectively, and there are two requirements.
- Organizational requirements: Policies, procedures, and documentation requirements for covered entities and business associates to guarantee the proper protection of PHI, such as contracts or other arrangements between organizations that share ePHI
- Policies and documentation requirements: Requirements for retaining records of documented policies and procedures pertinent to the HIPAA Security Rule for a period of six years from the date of their creation or from the date they were last applicable, whichever comes later
Who must comply with the HIPAA Security Rule?
The HIPAA Security Rule is applicable to covered entities, such as health plans, healthcare clearinghouses, and healthcare providers that electronically transfer health information that includes ePHI. It also applies to business associates, which can be either individuals or organizations that conduct tasks or services for covered entities and require the handling or revealing of ePHI.
What information is protected by the HIPAA Security Rule?
The HIPAA Security Rule protects identifiable health information that is transmitted or maintained electronically. This includes information that relates to:
- Health status information—details concerning an individual’s physical or mental health condition
- Healthcare provision data—information about the care, treatment, services, or diagnostics provided to an individual
- Payment information—data related to financial transactions or billing for healthcare services
- Identifiers in ePHI—information that contains one or more personal identifiers that could be used to recognize an individual or their health information, such as:
- Account numbers
- Addresses (i.e., geographic subdivisions smaller than a state)
- Unique identifying numbers, characteristics, or codes assigned to an individual
- Biometric identifiers (e.g., finger and voice prints)
- Certificate or license numbers
- Dates (except year) directly related to an individual
- Device identifiers and serial numbers
- Email addresses
- Full-face photographic images and any comparable images
- Health plan beneficiary numbers
- Internet Protocol (IP) address numbers
- Medical record numbers
- Names
- Phone numbers
- Social Security Numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Web Uniform Resource Locators (URLs)
What types of safeguards are required under the HIPAA Security Rule?
The HIPAA Security Rule details three types of safeguards that address different aspects of ePHI protection and is designed to work in tandem to create a comprehensive security framework.
1. Administrative safeguards
Administrative safeguards are strategies and protocols established to demonstrate an organization’s adherence to the regulation. These safeguards include creating, executing, and upholding security measures to safeguard ePHI and regulate the behavior of the workforce regarding ePHI data security. These protections include:
- Designation of security officials—assigns security responsibility to personnel or teams tasked with formulating and applying required security guidelines and protocols
- Employee education and management—provide staff training on the proper management of ePHI and the organization’s security practices and policies
- Periodic review—continuous evaluation of the effectiveness of security policies and procedures to ensure they sufficiently protect ePHI
- Risk analysis and mitigation—conduct comprehensive evaluations of potential threats to the security, privacy, and accessibility of ePHI
2. Physical safeguards
Physical safeguards consist of actions, rules, and practices designed to protect an organization’s electronic information systems, along with the premises and devices that house them, from natural disasters, environmental threats, and unauthorized access. These protections include:
- Controlled facility access—restrict physical access to electronic information systems and their environments to those with explicit authorization
- Security for workstations and devices—define appropriate usage and access to workstations, devices, and electronic media, including the secure transfer, elimination, disposal, and recycling of electronic media to safeguard ePHI
3. Technical Safeguards
Technical safeguards cover the digital systems that store and process ePHI and manage its accessibility. These protections include:
- Access control policies—restrict ePHI access to individuals or systems with explicit authorization
- Data integrity measures—verify that ePHI remains unchanged and undamaged by unauthorized actions
- Monitoring controls—log and scrutinize activities in digital systems that use or transmit ePHI
- Protection during transmission—prevent unauthorized entities from accessing ePHI while it is being transferred across electronic networks
What are the penalties for non-compliance with the HIPAA Security Rule?
Civil monetary penalties
The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing civil penalties for violations of the HIPAA Security Rule. HIPAA outlines specific aggravating and mitigating circumstances that authorities must evaluate when setting the penalty amount. These factors include:
- Scope of individuals impacted
- Nature of harm caused by the violation, including physical, financial, or reputational damage or interference with a patient’s access to healthcare
- Entity’s record of adherence or failure to comply in the past
- Economic status of the entity
- Potential impact of a civil fine on the entity’s capability to continue offering healthcare services
- Overall size of the entity
Tier one civil violations
For violations where the entity was unaware and could not have realistically known of the breach, penalties range from $137 to $34,464 per violation, with an annual maximum of $34,464 for repeat violations.
Tier two civil violations
For violations due to reasonable cause and not willful neglect, penalties range from $1,379 to $68,928 per violation, with an annual maximum of $137,886 for repeat violations.
Tier three civil violations
For violations due to willful neglect that are corrected within a timely manner (typically within 30 days), penalties range from $13,785 to $68,928 per violation, with an annual maximum of $344,638 for repeat violations.
Tier four civil violations
For violations of willful neglect that are not corrected within a timely manner, penalties are $68,928 per violation, with an annual maximum of $2,067,813.
In addition, state attorneys general can issue fines up to a maximum of $25,000 per violation category per year.
Criminal penalties
The Department of Justice is responsible for criminal violations of the HIPAA Security Rule.
Tier one
Deliberately obtaining and disclosing PHI without authorization results in a monetary fine of $50,000 and up to one year in jail.
Tier two
Obtaining PHI under false pretenses results in a monetary fine of $100,000 and up to five years in jail.
Tier three
Obtaining PHI for personal gain or with malicious intent results in a monetary fine of $250,000 and up to 10 years in jail.
HIPAA: Essential protection for health records
The HIPAA Security Rule is essential for protecting individuals’ sensitive health records. The requirements and safeguards set forth in the HIPAA Security Rule provide a framework that not only protects ePHI but also optimizes security controls for healthcare organizations and maintains the trust of patients.
You might also be interested in:
Unleash the power of unified identity security.
Centralized control. Enterprise scale.