What are the Privacy and Security Rules?
The Privacy and Security Rules are found in the Administrative Simplification provisions of HIPAA legislation, and they protect patient medical information.
Security Rule - The U.S. Department of Health & Human Services (HHS) published the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) in February 2003 and implemented it on April 21, 2005. This rule sets national standards for protecting the confidentiality, integrity, and availability of a patient’s electronic protected health information (ePHI) held or transferred digitally. The Security Rule addresses the technical and non-technical safeguards that organizations must put in place to secure a patient’s ePHI. There are three sections of safeguards listed in the Security Rule: Administrative, Physical, and Technical.
Privacy Rule - HHS published a final Privacy Rule in December 2000 (later modified in August 2002). The Privacy Rule refers to PHI in any form. This rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule has been a requirement since April 14, 2003 (April 14, 2004, for small health plans). The concept of “minimum necessary” is central to the Privacy Rule. This means covered entities should use or disclose the minimum amount of PHI needed for the intended purpose.
In December 2006, HHS published a HIPAA Security Guidance document. It contains information about high-risk areas for Security Rule breaches; for example, laptop computer theft is one of the most frequent causes of unauthorized data disclosure. This guidance specifically lists: laptops; home-based personal computers; tablets and smart phones; public workstations and wireless access points (WAPs); USB flash drives and memory cards; CDs; DVDs; backup media; email; smart cards; and remote access devices (including security hardware).