HIPAA Security Rule Overview
Regulatory basis: The Security Rule is codified at 45 CFR Part 164, Subpart C (Sections 164.302 through 164.318). It was published as a final rule on February 20, 2003, with a compliance date of April 20, 2005 for most covered entities.
Purpose and Scope
The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. The Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
The Security Rule applies to covered entities (health plans, health care clearinghouses, and health care providers who transmit health information electronically) and their business associates. Per 45 CFR 164.302, it applies to all ePHI a covered entity or business associate creates, receives, maintains, or transmits.
General Requirements
Under 45 CFR 164.306(a), each covered entity and business associate must:
Ensure the confidentiality, integrity, and availability of all ePHI the entity creates, receives, maintains, or transmits
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
Ensure compliance by its workforce
Flexibility of Approach
Under 45 CFR 164.306(b), the Security Rule is intentionally technology-neutral and scalable. In deciding which security measures to use, a covered entity or business associate must consider: (i) its size, complexity, and capabilities; (ii) its technical infrastructure, hardware, and software security capabilities; (iii) the costs of security measures; and (iv) the probability and criticality of potential risks to ePHI.
Required vs. Addressable Specifications
Required
Must be implemented as specified. There is no flexibility regarding whether to implement the specification -- only how to implement it within the entity's environment.
Addressable
Per 45 CFR 164.306(d)(3), the entity must assess whether the specification is a reasonable and appropriate safeguard, and then either: (A) implement the specification, (B) implement an equivalent alternative measure, or (C) document why implementation is not reasonable and appropriate. "Addressable" does not mean "optional."
Safeguard Categories
Administrative Safeguards (45 CFR 164.308)
Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures and the conduct of the workforce. Includes: security management process (risk analysis, risk management, sanction policy), assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, and evaluation.
Physical Safeguards (45 CFR 164.310)
Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Includes: facility access controls, workstation use and security, and device and media controls.
Technical Safeguards (45 CFR 164.312)
The technology and the policy and procedures for its use that protect ePHI and control access to it. Includes: access control (unique user identification, emergency access, automatic logoff, encryption), audit controls, integrity controls, person/entity authentication, and transmission security.
Organizational Requirements (45 CFR 164.314)
Requirements for business associate contracts and other arrangements between covered entities and their business associates. Ensures that business associates provide adequate safeguards for ePHI they create, receive, maintain, or transmit on behalf of the covered entity.
Documentation Requirements (45 CFR 164.316)
Requires covered entities and business associates to maintain written (which may be electronic) policies and procedures and written (which may be electronic) records of required actions, activities, or assessments. Documentation must be retained for six years from the date of its creation or the date when it last was in effect, whichever is later.
Enforcement
The Office for Civil Rights (OCR) within the Department of Health and Human Services enforces the Security Rule through:
- Complaint investigations -- OCR investigates complaints filed by individuals who believe a covered entity or business associate violated their rights.
- Compliance reviews -- OCR may initiate reviews to determine compliance, often triggered by reported breaches.
- Audits -- OCR conducts periodic audits of covered entities and business associates to assess compliance with HIPAA Rules.
Penalty Tiers
Civil monetary penalties under 45 CFR 160.404 (as amended by HITECH):
| Tier | Knowledge Level | Per Violation | Annual Cap |
|---|---|---|---|
| Tier 1 | Did not know and would not have known | $100 -- $50,000 | $25,000 |
| Tier 2 | Reasonable cause, not willful neglect | $1,000 -- $50,000 | $100,000 |
| Tier 3 | Willful neglect, corrected within 30 days | $10,000 -- $50,000 | $250,000 |
| Tier 4 | Willful neglect, not corrected | $50,000 | $1,500,000 |
Key Dates
- 1996: HIPAA enacted (Public Law 104-191)
- 2003: Security Rule published as final rule (68 FR 8334)
- 2005: Security Rule compliance date for most covered entities
- 2009: HITECH Act enacted, extending requirements to business associates
- 2013: Omnibus Rule published, finalizing HITECH provisions (78 FR 5566)