Healthcare News & Insights

HIPAA Security Rule

HIPAA Security Overview

HIPAA SecurityThe Security Standards for the Protection of Electronic Protected Health Information, or what is more commonly known as the HIPAA Security Rule, establishes a national set of security standards for protecting important patient health information that is being housed or transferred in electronic form. As new technologies continue to impact the healthcare industry and healthcare providers, insurance companies, and others involved in the field transition to paperless processes and rely on electronic information systems, the safety and security of important health information has become a prime concern.

The HIPAA Security Rule was created as a flexible extension to the protections contained in the Privacy Rule, and its guidelines provide the steps that those covered by the Rule must enact to secure patients’ electronic health information. Since the healthcare industry is so diverse, the Security Rule was designed to be flexible enough to accommodate any covered entity’s structure and size.

Security Rule Goal: Protect Digital Patient Information

Healthcare providers today are using digital technologies in almost every aspect of the practice, from electronic health records (EHR), medical billing and coding software, and computerized physician order entry (CPOE) systems, to specialized technologies in pharmacy and radiology to help more accurately treat and diagnose patients. While storing and transferring information like this allows all physicians to check patients’ test results and medical records from any location, it also poses a serious security risk.

Like the Privacy Rule, the Security Rule covers all healthcare providers, health clearing houses, and health plans, but limits that coverage to those that transmit information electronically.

Coverage of individual health information is also very similar. Both the HIPAA Security Rule and the Privacy Rule cover information created by these parties that can individually identify a patient, but the Security Rule applies only to the information that is electronically transmitted, not information that is transmitted orally or in writing.

Managing Risk in a Digital Environment

In order to properly manage all risks to security and breaches of information, the Security Rule has mandated that all covered entities follow security guidelines to keep their practices in check.

One of the most important risk management practices is a Risk Analysis, an on-going record review process that tracks access to electronically stored information, detects security incidents, evaluates potential risk points, and assesses security measures put into place.

According to the Department of Health and Human Services, the Risk Analysis process for compliance to the HIPAA Security Rule includes, but is not limited to:

  • Evaluating the likelihood and impact of potential risks to electronic protected health information
  • Implementing appropriate security measures to address the risks identified
  • Documenting the chosen security measures and, where required, the rationale for adopting those measures, and
  • Maintaining continuous, reasonable, and appropriate security protections.

There are also several other safeguards established by the HIPAA Security Rule to help protect private patient information. These safeguards cover administrative, technical, and physical practices to ensure complete compliance.

Some deal directly with the personnel in a healthcare environment and range from designating a security official responsible for overseeing security procedures, providing supervision and authorization requirements for those working with electronic information, training all employees to be compliant with the Rule and understand the guidelines established at the practice, and performing periodic assessments of the security and privacy practices being implemented.

Compliance Enforcements and Violation Penalties

All covered entities are required to comply with HIPAA Security or else strict fines and penalties will be enforced. Just as with the Privacy Rule, the Department of Health and Human Services provides education, training, and some technical assistance to help all covered entities stay within the guidelines set forth by the Security Rule.

One of the biggest obstacles that healthcare organizations are trying to overcome today is just how easy it is to breach private information. From merely misplacing a USB drive containing patient information, having a computer stolen from an office, or having files “hacked” by external criminals, there are a number of threats to digitally stored information. If a violation is reported, the Department of Health and Human Services, along with the Office of Civil Rights, has the authority to impose civil or criminal penalties.

Like the Privacy Rule, civil penalties and criminal penalties can be imposed for noncompliance to the HIPAA Security Rule.

Civil penalties range from $25,000 to $1.5 million per year. However, fines cannot be imposed under some circumstances, such as if a health care professional unwillingly violated the Rule and if it was committed under reasonable circumstances. Covered entities are also given up to 30 days to rectify the violation from the time of the act before these fines can be imposed.

Criminal penalties can also be enforced and include monetary fines and imprisonment for a number of different degrees of violation. These range from $50,000 and a one-year sentence for knowingly accessing or obtaining protected information to $250,000 and up to ten years in prison for planning to sell, transfer, or use protected health information for harmful intentions, commercial advantage, or personal gain.


As technology continues to evolve and make its mark on the healthcare industry, compliance with the HIPAA Security Rule becomes more important than ever. By following the guidelines set forth in the Rule, all covered entities can practice at their highest efficiencies and help promote and deliver exceptional patient care.