Tel: 314-534-3534
Fax: 314-534-0444
personal injury lawyer 
about the HIPAA
Security Rule 

Paul R. Hales

Attorney at Law

3534 Washington Ave.

St. Louis, MO 63103

TEL: 314-534-3534


HIPAA Security Rule 

The HIPAA Security Rule[1] establishes Security Measures that apply to the Electronic Protected Health Information (EPHI).[2] EPHI is Protected Health Information (PHI) transmitted by Electronic Media or maintained in Electronic Media.[3] Security Measures are all the administrative,[4] physical[5] and technical safeguards[6] to protect an organization’s information system.[7] Information system means the interconnected set of information resources controlled by or for an organization that normally hardware, software, information, data, applications, communications and people.[8]

Covered Entities and Business Associates are directly liable for compliance with the Security Rule[9] and for civil and criminal penalties for violations.[10]

Because it focuses on EPHI, the Security Rule is limited in scope compared to the Privacy Rule which covers all PHI, whether it is transmitted or maintained in electronic media or any other form or medium.[11] However, the critical importance of the Security Rule’s safeguards to protect EPHI continually increases because of the rapid expansion of use of EPHI stimulated by Federal policy and the increasing frequency of widely publicized EPHI breaches that now have affected more than 100 million people.[12]

Transmission and storage of EPHI provides significant opportunities to improve Health Care quality, safety and efficiency. However, advantages related to EPHI are accompanied by risks specific to electronic media. The FBI issued a warning to the Health Care Industry concerning theft of EPHI with the ominous note that the Health Care Industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics.[13]

The largest breach of PHI so far affected 78,800,000 people. It is described by the U.S. Department of Health and Human Services (HHS) as a “Hacking/IT Incident” on a network server reported by the Anthem health plan on March 13, 2015.[14] HHS has not yet announced the outcome of its HIPAA Enforcement Rule activities regarding the Anthem breach.

The Enforcement Rule gives HHS authority to settle cases involving HIPAA violations as an alternative to taking each case through Federal judicial proceedings.[15] Some settlements, called Resolution Agreements, are published by HHS. The Resolution Agreements concerning EPHI breaches by HHS invariably find lack of routine Security Rule compliance caused the breaches.[16] Failure to conduct an adequate Risk Analysis and develop a Risk Management program to address the organization’s risks are consistently cited as fundamental HIPAA Security Rule violations leading directly and inevitably to breaches.[17]

A Covered Entity or Business Associate that experiences theft or loss of EPHI is exposed to unplanned financial expense and damage to its reputation, both of which can be substantial. News reports of any breach suggest concerns about the organization’s ability to protect sensitive information. It is even more urgent now that Covered Entities and Business Associates review, revise, develop and implement reasonable and appropriate Security Measures required by the Security Rule to protect EPHI.[18]

Covered Entities and Business Associates must comply with all Security Rule Standards.[19]  A Standard is a rule, condition, or requirement concerning the Privacy of EPHI.[20] HHS deliberately wrote the Standards in general terms so that organizations would have flexibility to meet the Standards through various approaches and technologies including new technologies.[21]  Most Standards include Implementation Specifications. Implementation Specifications are specific requirements or instructions for implementing a Standard.[22] In some cases the Standard itself includes all the necessary instructions for implementation and does not have an Implementation Specification to provide more specific instructions or requirements.[23] Covered Entities and Business Associates are required to comply with each Standard, regardless of whether it has Implementation Specifications that are Required or Addressable or whether it has no Implementation Specification at all.[24]

Implementation Specifications are labeled as Required or Addressable.[25] The Security Rule’s designation of an Implementation Specification as “Addressable” does not mean compliance with the Implementation Specification is “optional”. HHS created the category “Addressable Implementation Specification” to provide additional flexibility in complying with a Standard.[26]

Covered Entities and Business Associates must implement all Required Implementation Specifications.[27]

Covered Entities and Business Associates must decide whether an Addressable Implementation Specification is a reasonable and appropriate Security Measure for them to implement within their specific security environment based on its likely contribution to protecting EPHI.[28] The decision will depend on a variety of factors such as the organization’s Risk Analysis, Risk Management Program, size, complexity, capabilities and the cost of implementation.[29] However, it is noteworthy that HHS found during its 2012 Pilot HIPAA Compliance Audits of Covered Entities that almost all deficiencies related to Standards with Addressable Implementation Specifications could have been avoided if the Covered Entity had fully implemented the Addressable Implementation Specification.[30]

[1]     45 CFR Part 160 and Subparts A and C of Part 164

[2]     45 CFR § 164.302; 68 FR 8342, Feb. 20, 2003

[3]     45 CFR § 164.103; 58 FR 5567, Jan. 25, 2013

[4]     45 CFR § 164.304; 45 CFR § 164.308

[5]     45 CFR § 164.304; 45 CFR § 164.310

[6]     45 CFR § 164.304; 45 CFR § 164.312

[7]     45 CFR § 164.304

[8]     Ibid.

[9]     45 CFR § 164.302; 78 FR 5589, Jan. 25, 2013

[10]    45 CFR Part 160, Subparts C, D and E; 45 CFR § 160.103; 42 U.S.C. § 1320d-6; 78 FR 5576-87 and 5689-92, Jan. 25, 2013; see also U.S. Department of Justice Memorandum, September 9, 2015, From: Deputy Attorney General Sally Quinn Yates, Subject: Individual Accountability for Corporate Wrongdoing (“Yates Memo”)

[11]    45 CFR § 164.500; 45 CFR § 164.103; 68 FR 8374, Feb. 20, 2003

[12]    Sec. 3011, Subtitle B, Incentives for the Use of Health Information Technology, Health Information Technology for Economic and Clinical Health Act’’ or the ‘‘HITECH Act’’, PUBLIC LAW 111–5—FEB. 17, 2009

[13]    FBI Cyber Division Private Industry Notification, PIN #: 140408-009, 8 April 2014

[14]    U.S. Department of Health and Human Services, Office for Civil Rights, breach Portal: Notice to the Secretary of HHS breach of Unsecured Protected Health Information,

[15]    45 CFR § 160.514

[16]    See for example: Resolution Agreement between the United States Department of Health and Human Services, Office for Civil Rights and Centers for Medicare & Medicaid Services and Providence Health & Services, a Washington non-profit corporation, Providence Health System - Oregon, an Oregon non­ profit corporation,  and Providence Hospice and Home Care, a Washington non-profit corporation, July 11, 2008; Resolution Agreement between United States Department of Health and Human Services, Office for Civil Rights and The Board of Regents of the University of Washington, on behalf of University of Washington and its Affiliated Covered Entity referred to as "UW Medicine", December 14, 2015

[17]    Resolution Agreement between the United States Department of Health and Human Services, Office for Civil Rights and Adult & Pediatric Dermatology, P.C., December 24, 2013; Resolution Agreement between the United States Department of Health and Human Services, Office for Civil Rights and Idaho State University, May 10, 2013

[18]    45 CFR §164.306

[19]    45 CFR § 164.306(c)

[20]    45 CFR §160.103

[21]    68 FR 8336, Feb. 20, 2003; 45 CFR § 164.306(b)

[22]    Ibid.

[23]    68 FR 8336, Feb. 20, 2003; see e.g. 45 CFR § 164.310(b)

[24]    45 CFR § 164.306(c); 68 FR 8336, Feb. 20, 2003

[25]    45 CFR § 164.306(d)(1)

[26]    68 FR 8336, Feb. 20, 2003; 45 CFR § 164.306(b)

[27]    45 CFR § 164.306(d)(2)

[28]    45 CFR § 164.306(d)(3)(i)

[29]    68 FR 8336, Feb. 20, 2003

[30]    Rinker, Verne, Presentation: HIPAA Privacy, Security and breach Notification Audits, Program Overview & Initial Analysis, Safeguarding Health Information: Building Assurance through HIPAA Security, 6th Annual Conference co-hosted by The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), May 21, 2013, Washington, D.C.; McAndrew, Susan, Presentation: OCR Updates, HIT Policy Committee, December 4, 2013, Arlington, VA