The Security Rule of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) protects a subset of PHI called electronic protected health information (ePHI). Covered entities must secure ePHI in accordance with the HIPAA Compliant Email Security Rule.

This rule is designed to be flexible and scalable for covered entities of different sizes. It does not dictate what measures must be taken, but rather what will work best for the covered entity in its particular environment.

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a federal law that protects patients’ medical information. It was enacted by President Bill Clinton on August 21, 1996 and overrides state laws regarding the safety of personal healthcare information.

It is a federal statute that regulates how healthcare organizations, known as covered entities, use and disclose patients’ protected health information (PHI). It also regulates business associates, who may be companies that handle, transmit, or process PHI on behalf of a covered entity.

Covered entities include health plans, hospitals, nursing homes, laboratories, and physicians. They must comply with HIPAA rules as well as those of their business associates, who have contracts that require them to protect patients’ health information.

Business associates include billing firms, practice management companies, IT providers, faxing companies, shredding services, cloud storage services, and email hosting services. They must be in compliance with HIPAA regulations and their contract agreements must provide written assurances that they will follow the same security rules.

What is ePHI?

The security rule of HIPAA requires covered entities to implement reasonable and appropriate security safeguards to protect electronic protected health information (ePHI). ePHI is any PHI that is held or transferred electronically.

It may include systems that operate with a cloud database, patient data shared via email, or any other form of data. This type of data needs to be protected by encryption and secure backup in order to ensure its safety.

In addition, ePHI must be available when patients need it in accordance with HIPAA security standards. It must also be maintained in integrity and not altered without a patient’s permission.

To determine whether a piece of information would qualify as ePHI, think about the 18 types of identifiers listed above and how they relate to an individual’s past, present, or future physical or mental health or condition. If a piece of information can reveal any of these 18 identifiers, it will count as PHI under HIPAA.

What is the Security Rule?

The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (ePHI).

These requirements are scalable, flexible and generalizable, enabling Covered Entities and Business Associates to find solutions that work for their individual situations. Because HHS recognized that technology is constantly evolving, they chose to leave the administrative, physical and technical safeguards of the Security Rule “technology neutral.”

The Security Rule requires covered entities to conduct risk assessments and analyze their controls to ensure they’re protecting patient ePHI effectively. Failure to do so could result in financial penalties and reputational damage.

What are the requirements of the Security Rule?

The Security Rule lays out a set of national standards for the confidentiality, integrity and availability of electronically stored health information. It includes requirements for administrative, physical and technical safeguards, as well as risk analysis and management provisions.

Covered entities such as pharmacies, hospitals, health care providers, clearinghouses and health plans must comply with the Security Rule. These entities must also ensure their business associates meet these standards.

These standards include the implementation of administrative safeguards, such as information access management policies and workforce training. They must also conduct risk assessments and periodically evaluate their security plans and procedures to maintain HIPAA compliance.


The Security Rule also requires physical safeguards, such as data backup and disaster recovery plans. It is important to note that the physical safeguard requirements are technology neutral, meaning that they can be implemented in a variety of environments, as long as the entity has the infrastructure and capability to support them.