World Leader in Electronic Compliance Communications
Don't let compliance
slow you down
Get a quote in minutes.
Demo our Services Today !
No obligation, 10-day trial
Access Customer Service

Thousands of US organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The Security Rule is a key part of HIPAA -- federal legislation that was passed into law in August 1996. The overall purpose of the act is to enable better access to health insurance, reduce fraud and abuse, and lower the overall cost of health care in the United States.


If your organization is a Covered Entity (one that must comply with HIPAA), it is imperative that you understand the rule and take the necessary steps toward compliance. This article presents a detailed overview of the Security Rule and key factors you should consider when preparing to comply with the rule.

Click here for our complete HIPAA Compliance White Paper


What  is it? The rule applies to electronic protected health information (ePHI), in electronic form and relates to 1) an individual's past, present, or future physical or mental health or condition, 2) an individual's provision of health care, or 3) past, present, or future payment for provision of health care to an individual. The primary objective is to protect the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted.
Who does it apply to? Covered Entities (CE's) must comply with the Security Rule. These are health plans (HMOs, group health plans, etc.), health care clearinghouses (billing and re-pricing companies, etc.), or health care providers (doctors, dentists, hospitals, etc.) who transmit any EPHI.
How  do I comply? CE's must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their EPHI against any reasonably anticipated risks.
When  are the deadlines? The final Security Rule became effective as of April 21, 2003. Most CE's must be in compliance by April 21, 2005; small health plans (those with annual receipts of $5 million or less) have until April 21, 2006.




Individual didn't know they violated HIPAA $100/violation; annual max of $25,000/repeat violations $50,000/violation; annual max of $1.5 million
Reasonable cause and not willful neglect $1,000/violation; annual max of $100,000/repeat violations $50,000/violation; annual max of $1.5 million
Willful neglect but corrected within time $10,000/violation; annual max of $250,000/repeat violations $50,000/violation; annual max of $1.5 million
Willful neglect and is not corrected $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million



Though not formally defined in HIPAA, CE's that do not comply with the Security Rule could find themselves facing other unfavorable consequences:



Negative publicity Non-compliant organizations may be discussed in public media (newspaper, radio, television) for not adequately protecting their customers' EPHI.
Loss of Customers Customers are increasingly aware of their rights under HIPAA and want their EPHI protected. They may refrain from doing business with organizations they believe do not adequately protect EPHI.
Loss of Business Partners HIPAA requires that covered entities permit other organizations to create, receive, maintain, or transmit EPHI on their behalf only if the second organization can appropriately safeguard the information. CE's may be unwilling to exchange EPHI with organizations that do not adequately protect EPHI.
Legal Liability Many attorneys are aware of HIPAA and are ready to sue on behalf of clients whose rights are violated. For the first time ever, the federal government has put forth a set of requirements prescribing how EPHI must be protected. Attorneys are prepared to use these requirements to file civil suits against non-compliant CE's.


Principles - The Security Rule is based on several important principles.



Scalability All sizes of CE's must be able to comply with the rule, from the one-person doctor office to the insurance company with thousands of employees.
Comprehensiveness CE's must have a unified security approach based on the principle of "defense in depth."
Technology neutral The rule does not require CE's to implement specific security technology (for example, a specific type of firewall or IDS). Each CE must choose the appropriate technology to protect its EPHI.
Internal and external security threats CE's must protect their EPHI against both internal and external threats.
Risk analysis CE's must regularly conduct thorough and accurate risk analysis.


Technical Safeguards

The technical safeguards are several requirements for using technology to protect EPHI, particularly controlling access to it. The specific standards are:



Access control Policies, procedures, and processes must be developed and implemented for electronic information systems that contain EPHI to only allow access to persons or software programs that have appropriate access rights.
Audit controls Mechanisms must be implemented to record and examine activity in information systems that contain or use EPHI.
Integrity Policies, procedures, and processes must be developed and implemented that protect EPHI from improper modification or destruction.
Person authentication Policies, procedures, and processes must be developed and implemented that verify persons or entities seeking access to EPHI are who or what they claim to be.
Transmission security Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to EPHI that is being transmitted over an electronic communications network (e.g., the Internet).

Documentation standard


CE's must maintain all documentation (e.g., policies, procedures) required by the Security Rule for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Such documentation must be made available to the workforce members responsible for implementing the policies and procedures. Additionally, CE's must periodically review such documentation and revise and update it as needed to ensure the confidentiality, integrity, and availability of EPHI.

Key Factors for Compliance


Complying with the HIPAA Security Rule can require significant time and effort. CE's must comply with 18 broad standards, many of which have specific requirements. The time and effort required will vary significantly, depending, in part, on the security policies, procedures, and processes an organization already has in effect.


If your organization regularly conducts risk analysis, uses a unified, "defense in depth" security approach, has formal, documented security policies and procedures, and conducts regular workforce training, it will almost certainly require less time and effort to comply with the Security Rule than an organization who does not. The complexity of your organization will also determine the time and effort required to comply. A five-person dentist's office will likely require less time and effort than a highly decentralized hospital employing thousands.


Regardless of size or complexity, if your organization is a CE, there are eight key steps you should consider when preparing to comply with the Security Rule.

Obtain and Maintain Senior Management Support


Because compliance can require significant time, effort, and resources, it is critical that senior management be educated about the Security Rule and make a clear statement of support for compliance before compliance efforts begin. If possible, senior managers should be project sponsors for Security Rule compliance projects. If senior managers resist allocating adequate resources for compliance efforts, present them with the unpleasant consequences of non-compliance, discussed earlier. It is reasonable to assume that senior managers of CE's that do not comply with the Security Rule will be the focus of auditors, unhappy consumers, and eager attorneys. As compliance efforts progress, keep senior management informed and up-to-date.


Develop and Implement Security Policies


Before implementing security processes and methods to protect EPHI, carefully identify and define what security policies you need to develop and implement. As noted earlier, the rule requires a number of formal, documented security policies. These will help define your organization's security strategic goals, identify critical assets, and provide a foundation for the selection and use of security technologies.  Security policies will also provide your organization with an overall security framework, ensuring that your security efforts are consistent and integrated rather than fragmented. Additionally, security policies are a clear mandate from senior management that security is a necessary and important part of your organization.


Conduct and Maintain Inventory of EPHI


It is difficult to ensure the confidentiality, integrity, and availability of EPHI if you can't locate it (or worse, if you don't even know you have it). Imagine one of your senior managers being questioned by an auditor or jury and trying to explain that some of your organization's EPHI was misused because your organization didn't know it had the EPHI. This is a risky and unpleasant position to be in.  You should regularly identify and document the location of your organization's EPHI. It is particularly important to identify and document the flow of EPHI in, out, and throughout your organization. Do you regularly exchange EPHI with certain business partners? Does information system A regularly send EPHI to information system B? Does your organization regularly send EPHI over the Internet?


Be Aware of Political and Cultural Issues Raised by HIPAA


Compliance with the Security Rule is not just developing and implementing security technology. Compliance may require significant changes in your organizational culture, particularly in how workforce members interact with EPHI. For example, changes to a CE's access control policy may mean that workforce members who had unrestricted access to EPHI may now have only limited access, i.e., access only to the EPHI necessary to carry out their jobs. Another example would be new policies and procedures that require the monitoring or auditing of employee actions. Such changes can provoke fear, confusion, resistance, or political battles within an organization. You can mitigate such issues by educating all workforce members about the requirements of the Security Rule, why it's important to protect EPHI, and the general steps your organization will be taking to comply with the rule. This should be done early in the compliance process. Soliciting workforce member feedback and review on proposed security policies and processes can also help. People are much more likely to understand and comply with security policies and processes they have helped develop than those they haven't.


Conduct Regular and Detailed Risk Analysis


"Risk" can be simply defined as "the likelihood that a specific threat will exploit a certain vulnerability, and the resulting impact of that event." "Risk analysis" is a systematic and analytical approach that identifies and assesses risks and provides recommendations to reduce risk to a reasonable and appropriate level.

Risk analysis enables a CE to identify and define its critical assets and the risks to them. Risk analysis will enable senior management to understand the risks to your organization's EPHI, and to allocate appropriate resources to mitigate those risks and reasonably protect that EPHI.


Determine What is Appropriate and Reasonable


You should use risk analysis as the basis for developing and implementing appropriate and reasonable protections for your organization's EPHI. The Security Rule does not expect CE's to protect their EPHI against all possible risks or to have "perfect" security. Nor does the Security Rule assume that CE's have unlimited time, money and resources for protecting EPHI. Rather, the rule expects CE's to understand their EPHI, the reasonably anticipated risks to the EPHI, and the CE's capabilities to then develop and implement security measures.




The Security Rule requires CE's to document a wide variety of security policies, procedures, and decisions. It is very important that these be formally documented and approved by senior management and regularly reviewed and revised as necessary.  If your organization is visited by an auditor or an attorney, one of the first requests they will likely make is to view your security policies. They will want to compare your security practices against those required by the policies. A CE with no or limited documented security policies will be at significant risk.  Auditors and attorneys will also want to see written documentation of the addressable implementation specification decisions your organization makes. For example, if you determine that it is not reasonable and appropriate to encrypt EPHI when sending it over the Internet, it's very important to formally document and approve this decision.


Prepare for ongoing compliance


CE's are expected to comply with the Security Rule on an ongoing basis. You should develop and implement security policies, procedures, processes, and controls with the understanding that they must be regularly reviewed and modified as necessary.  In the future, risks to EPHI and associated mitigation measures are likely to change; you must understand and be prepared to respond to these changes. Additionally, as a piece of federal legislation, the Security Rule is subject to change by the US government or courts. You should regularly monitor the rule for changes.

Health care consumers expect their medical information to be appropriately protected. After much delay, the HIPAA Security Rule has arrived in an effort to address their concerns. Compliance will require CE's to (1) identify the risks to their EPHI and (2) implement a wide variety of security best practices. Complying with the Security Rule can require significant time and resources. Now is the time to begin compliance efforts.





   Secure Email
   Secure File Transfer
   Secure Fax
   Secure Automated FTP
   Virtual Private Networking
   SafetySend Lockbox
   Outlook Compatibility
   Admin Console  
   Private Label


   Medical Solutions
   Financial Solutions
   Legal Solutions
   Corporate Solutions


   HIPAA Compliance
   GLBA Compliance
   PCI DSS Compliance
   HITECH Compliance
   SOX Compliance


   Technical FAQ
   Outlook Setup Guide
   User Guide



   Featured Clients
   Channel Partners
   Contact Us
Detailed Difference