What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that mandated the covered entities and health care providers of national standards to protect confidential patient health information from being disclosed without the consent or knowledge of the patient.
The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to enact HIPAA’s requirements. The HIPAA Security Rule covers a subset of Information covered by the Privacy Rule.
HIPAA Security Rule
The HIPAA Privacy Rule protects protected health information (PHI), but the Security Rule only protects a subset of that Information.
This subset covers all personally identifiable health information created, received, retained, or distributed in electronic form by a covered entity. This data is referred to as “electronically protected health information” (e-PHI).
To comply with the HIPAA Security Rule, all covered entities must do the following:
- Ensure that all electronically protected health information is kept private, safe, and accessible.
- Detect and protect against possible threats to the Information’s security.
- Protect against anticipated, impermissible uses or disclosures
- Certify compliance by their workforce
When considering requests for these permissive uses and disclosures, covered organizations should use their best discretion and professional ethics.
The HHS Office implements HIPAA regulations for Civil Rights, and all grievances should be addressed to them. Violations of HIPAA can result in civil or criminal penalties.
What Information is protected by HIPAA Security Rule?
Electronic Protected Health Information
As explained in the Information Privacy, the HIPAA Privacy Rule protects individually identifiable health information privacy, also known as protected health information (PHI).
All individually identifiable health information that a covered organization produces, collects, retains, or transmits in electronic form is protected by the Security Rule, a subset of Information covered by the Privacy Rule.