Entities Subject to or Affected by the Security Rule
The Security Rule applies to all covered entities, i.e., health plans, health care clearinghouses, and health care providers who electronically transmit health information in connection with a covered transaction.78 HITECH applied all of the security requirements to business associates and subcontractors of business associates.79
The Security Rule protects only a subset of information covered by the Privacy Rule.80 It protects all individually identifiable health information a covered entity or business associate creates, receives, maintains or transmits in electronic form, and classifies this information as “electronic protected health information” (e-PHI). The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.
CEs and business associates of covered entities are required by the Security Rule to maintain reasonable and appropriate administrative, physical, technical, and organizational safeguards for protecting e-PHI.81 Specifically, entities must: 1) ensure the confidentiality, integrity, and availability of all e-PHI that the covered entity creates, receives, maintains, or transmits; 2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; 3) protect against any reasonably anticipated uses or disclosures; and 4) ensure workforce compliance.
The Security Rule provides entities considerable flexibility in meeting such requirements. Entities may use any security measure that allows them to reasonably and appropriately implement the Rule’s standards and implementation specifications. However, when deciding which security measures to use, an entity must always take into account: its size, complexity, and capabilities, including technical infrastructure, hardware, and software capabilities; the costs of security measures; and the probability and criticality of potential risks to e-PHI.82 In addition to guidance from HHS regarding HIPAA, a CE should look to the guidance documents issued by the National Institute of Standards and Technology (NIST) to assist in properly securing electronic data in compliance with HIPAA.83
Footnotes
- 78. 45 C.F.R. § 164.302.
- 79. ARRA, Pub. L. No. 111-5, Div. A, Title XIII, § 13401, 123 Stat. 260 (2009); Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,881-33, 40,917-18 (to be codified at 45 C.F.R. §§ 164.306, 164.314).
- 80. 45 C.F.R. § 164.304.
- 81. Id. at § 164.306.
- 82. Id.
- 83. See, e.g., Nat’l Inst. Of Standards & Tech., U.S. Dep’t of Commerce, NIST Special Publication 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule (2008), available at http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revisio... (last visited April 27, 2012).
.png)