PAUL R. HALES, ATTORNEY AT LAW, LLC
                                                                                                                                                                                           
Tel: 314-534-3534
Fax: 314-534-0444
personal injury lawyer 
 
about the HIPAA
Security Rule 

Paul R. Hales

Attorney at Law

3534 Washington Ave.

St. Louis, MO 63103

TEL: 314-534-3534

 

HIPAA Security Rule 

The Security Rule – Electronic Protected Health Information (EPHI)

  

The Security Rule establishes Standards for the protection of Electronic Protected Health Information (EPHI). Covered Entities and Business Associates must comply with the Security Rule and are directly for civil and criminal penalties for violations.

   

Download the Security Rule Primer. It is written in plain language, organized with a Table of Contents and clarifies Security Rule compliance for Covered Entities and Business Associates. 
All material in the Security Rule Primer is from The HIPAA E-Tool®
 used by permission of ET&C Group LLC. Footnotes with exact legal references are provided for compliance officials and legal counsel.

 

EPHI

EPHI is Protected Health Information (PHI) created or received by a Covered Entity and transmitted by Electronic Media or maintained in Electronic Media. By definition, all EPHI is PHI.

 

The Privacy Rule Establishes Standards for EPHI 

The Privacy Rule establishes Standards for Uses and Disclosures of all PHI including EPHI that Covered Entities and Business Associates are permitted and required to make and Standards for the rights of Individuals regarding their own PHI including EPHI. The Privacy Rule also requires a Covered Entity to have appropriate Administrative, Technical and Physical Safeguards in place to protect the Privacy of all PHI. Although the Privacy Rule was published first, HHS prepared the final Security Rule to ensure its Safeguards work “hand in glove” with Privacy Rule requirements for Administrative, Technical, and Physical Safeguards.

 

Security Rule Overview

The Security Rule requires Covered Entities and Business Associates to protect against uses and disclosures of EPHI that are not permitted or required by the Privacy Rule. To do that they must implement Security Measures consisting of appropriate Administrative, Physical and Technical Safeguards to ensure the Confidentiality, Integrity, and Security of EPHI they create, receive, maintain or transmit. Accordingly, Security Rule Safeguards protecting EPHI count as Administrative, Technical and Physical Safeguards to protect the Privacy of PHI required by the Privacy Rule. Covered Entities and Business Associates must protect against reasonably anticipated threats to the security or integrity of EPHI and ensure compliance with the Security Rule by their Workforce.

  

Security Rule Safeguards

Security Rule Safeguards focus on Risks that threaten EPHI – PHI maintained and transmitted Electronically. The importance of implementing those Safeguards cannot be overstated. Since the Security Rule became effective in 2005 the amount of EPHI transmitted by Electronic Media and maintained in Electronic Media with assistance from Federal financial incentives has grown dramatically. However, Breaches of Unsecured EPHI that could have been prevented by Security Rule compliance are routinely reported. Criminal attacks targeting EPHI are an urgent, persistent threat. EPHI Cyber crime includes Medical Identity Theft and extortion including Ransomware attacks.

BREACH PREVENTION TIP

The HIPAA Security Rule provides a Blueprint to prevent Cyber-Crime.