4.3 HIPAA Security Rule
Key Takeaways
- The Security Rule protects only electronic protected health information (ePHI); paper and spoken PHI fall under the Privacy Rule instead.
- The Security Rule organizes safeguards into three categories: Administrative, Physical, and Technical.
- Implementation specifications are either required, meaning they must be done, or addressable, meaning the entity must implement, document an equivalent alternative, or document why it is not reasonable.
- A documented risk analysis is a required, foundational specification that identifies threats and vulnerabilities to ePHI.
- Encryption of ePHI is technically an addressable specification, but in practice it is treated as de facto required because unencrypted data drives most reportable breaches.
Scope: Electronic PHI Only
The HIPAA Security Rule protects electronic protected health information (ePHI) — PHI that is created, received, maintained, or transmitted in electronic form. Paper records and verbal disclosures are protected by the Privacy Rule, not the Security Rule. For a biller, ePHI includes claims in a practice management system, electronic remittances, eligibility responses, and emailed patient data.
The Security Rule requires Covered Entities and Business Associates to protect three properties of ePHI: confidentiality (only authorized access), integrity (data is not improperly altered or destroyed), and availability (data is accessible when needed).
Required vs. Addressable Specifications
Each safeguard standard contains implementation specifications, and each specification is labeled one of two ways:
- Required — must be implemented exactly as written.
- Addressable — the entity must assess whether the specification is reasonable and appropriate, then either implement it, implement a documented equivalent alternative, or document why neither is reasonable.
Addressable does not mean optional. It means the response must be reasoned and documented.
The Three Safeguard Categories
| Safeguard Category | Focus | Examples |
|---|---|---|
| Administrative | Policies, procedures, and workforce management | Risk analysis, security officer designation, workforce training, sanction policy, contingency planning |
| Physical | Protecting facilities, devices, and media | Facility access controls, workstation security, device and media disposal and reuse |
| Technical | Technology controls on systems and data | Access controls, audit controls, integrity controls, person authentication, transmission security |
Key Technical Safeguards
- Access controls — unique user IDs, automatic logoff, and emergency access procedures so only authorized users reach ePHI.
- Audit controls — hardware, software, or procedural mechanisms that record and examine system activity.
- Integrity controls — measures that confirm ePHI has not been improperly altered or destroyed.
- Person or entity authentication — verifying a user is who they claim to be (passwords, multifactor authentication).
- Transmission security — protecting ePHI as it moves across a network, including integrity controls and encryption.
The Risk Analysis Requirement
A risk analysis is a required Administrative specification and the foundation of Security Rule compliance. The entity must conduct an accurate, thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI it holds, then implement reasonable measures to reduce those risks. OCR investigations of breaches very often cite a missing or incomplete risk analysis.
Why Encryption Is Effectively Required
Encryption of ePHI — both at rest and in transmission — is technically an addressable specification. However, encryption is the recognized way to render PHI unsecured-PHI-safe: properly encrypted data that is lost or stolen generally does not trigger the Breach Notification Rule. Because unencrypted laptops, drives, and emails cause a large share of reportable breaches, billers and their employers should treat encryption as de facto required.
Match each Security Rule control to its safeguard category.
Match each item on the left with the correct item on the right
An encryption implementation specification in the Security Rule is labeled 'addressable.' What does this mean for a Covered Entity?