What Is the HIPAA Security Rule?
The HIPAA Security Rule, formally the Security Standards for the Protection of Electronic Protected Health Information, was published in 2003 and took effect in April 2005. It establishes a national set of security standards for protecting electronic protected health information (ePHI) that is created, received, used, or maintained by covered entities and their business associates.
Unlike the Privacy Rule, which covers PHI in any form (paper, oral, electronic), the Security Rule applies exclusively to ePHI — health information in electronic format. The Rule was designed to be technology-neutral and scalable, recognizing that covered entities range from small physician practices to large hospital systems with vastly different resources and risk profiles.
The Three Categories of Safeguards
The Security Rule organizes its requirements into three categories of safeguards:
1. Administrative Safeguards
Administrative safeguards are the policies, procedures, and actions that manage the selection, development, implementation, and maintenance of security measures to protect ePHI. They include:
- Security management process (risk analysis, risk management, sanction policy, information system activity review)
- Assigned security responsibility (designating a security official)
- Workforce security (authorization, supervision, termination procedures)
- Information access management (isolating healthcare clearinghouse functions, access authorization and establishment)
- Security awareness and training
- Security incident procedures
- Contingency plan (data backup, disaster recovery, emergency mode operations)
- Evaluation (periodic technical and non-technical evaluation)
- Business associate contracts and other arrangements
2. Physical Safeguards
Physical safeguards are physical measures, policies, and procedures to protect covered entities' electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. They include:
- Facility access controls
- Workstation use policies
- Workstation security
- Device and media controls (disposal, media re-use, accountability, data backup and storage)
3. Technical Safeguards
Technical safeguards are the technology and the policy and procedures for its use that protect ePHI and control access to it. They include:
- Access controls (unique user identification, emergency access procedure, automatic logoff, encryption and decryption)
- Audit controls
- Integrity controls (authentication mechanisms)
- Person or entity authentication
- Transmission security (encryption, integrity controls)
Required vs. Addressable Implementation Specifications
One of the most important — and most misunderstood — aspects of the Security Rule is the distinction between required and addressable implementation specifications.
Required specifications must be implemented. There is no flexibility; every covered entity must implement them. Examples include risk analysis, risk management, a sanction policy, unique user identification, and emergency access procedures.
Addressable specifications require covered entities to assess whether the specification is reasonable and appropriate for their environment. If it is, they must implement it. If not, they must document why it is not reasonable and appropriate and implement an equivalent alternative measure if one exists. "Addressable" does not mean "optional" — it means contextually evaluated. Many organizations incorrectly assume addressable specifications can simply be skipped.
Risk Analysis: The Foundation of the Security Rule
The Security Rule's most fundamental requirement is a thorough and accurate risk analysis. Covered entities must identify and document all ePHI they create, receive, maintain, or transmit; identify and document potential threats and vulnerabilities; assess the current security measures in place; determine the likelihood and impact of threat occurrence; and document the risk level. The risk analysis informs the risk management process, which involves implementing security measures to reduce risks to a reasonable and appropriate level.
Flexibility and Scalability
The Security Rule was intentionally written to be flexible and scalable. When implementing security measures, covered entities may consider their size, complexity, and capabilities; their technical infrastructure, hardware, and software security capabilities; the cost of security measures; and the probability and criticality of potential risks to ePHI. A small rural clinic is not expected to implement the same technical infrastructure as a large academic medical center, but both must achieve the same fundamental goal: protecting ePHI from reasonably anticipated threats.
Documentation Requirements
Covered entities must maintain written documentation of all Security Rule policies, procedures, actions, activities, and assessments. All documentation must be retained for six years from the date of creation or from the date it was last in effect, whichever is later. Documentation must be made available to those responsible for implementing the procedures and must be reviewed and updated periodically.