Security Rule

Electronic Protected Health Information


EPHI is Protected Health Information (PHI) created or received by a Covered Entity and transmitted by Electronic Media or maintained in Electronic Media. By definition, all EPHI is PHI.

The Privacy Rule Establishes Standards for EPHI 

The Privacy Rule establishes Standards for Uses and Disclosures of all PHI including EPHI that Covered Entities and Business Associates are permitted and required to make and Standards for the rights of Individuals regarding their own PHI including EPHI. The Privacy Rule also requires a Covered Entity to have appropriate Administrative, Technical and Physical Safeguards in place to protect the Privacy of all PHI. Although the Privacy Rule was published first, HHS prepared the final Security Rule to ensure its Safeguards work “hand in glove” with Privacy Rule requirements for Administrative, Technical, and Physical Safeguards.

Breach Prevention Tip!

The HIPAA Security Rule provides a Blueprint to prevent Cyber-crime.

Security Rule Overview

The Security Rule requires Covered Entities and Business Associates to protect against uses and disclosures of EPHI that are not permitted or required by the Privacy Rule. To do that they must implement Security Measures consisting of appropriate Administrative, Physical and Technical Safeguards to ensure the Confidentiality, Integrity, and Security of EPHI they create, receive, maintain or transmit. Accordingly, Security Rule Safeguards protecting EPHI count as Administrative, Technical and Physical Safeguards to protect the Privacy of PHI required by the Privacy Rule. Covered Entities and Business Associates must protect against reasonably anticipated threats to the security or integrity of EPHI and ensure compliance with the Security Rule by their Workforce.

Security Rule safeguards

Security Rule Safeguards focus on Risks that threaten EPHI – PHI maintained and transmitted Electronically. The importance of implementing those Safeguards cannot be overstated. Since the Security Rule became effective in 2005 the amount of EPHI transmitted by Electronic Media and maintained in Electronic Media with assistance from Federal financial incentives has grown dramatically. However, Breaches of Unsecured EPHI that could have been prevented by Security Rule compliance are routinely reported. Criminal attacks targeting EPHI are an urgent, persistent threat. EPHI Cyber-crime includes Medical Identity Theft and extortion including Ransomware attacks.