The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is focused on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) which is created, received, maintained, or transmitted by any covered entity (CE) against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. Covered entities include: covered healthcare providers, health plans, healthcare clearinghouses, Medicare prescription drug card sponsors and business associates. By meeting the requirements set forth in the Security Rule for ePHI, CEs will also meet the ePHI requirements of the Privacy Rule.
The HIPAA Security Rule requirements have most recently been expanded via the Health Information Technology for Economic and Clinical Health (HITECH) Act, which establishes mandatory federal security breach reporting requirements with expanded criminal and civil penalties for non-compliance. Business associates of covered entities are now required to address the security rule requirements.
