The HIPAA Privacy and Security Rules are two key components of the HIPAA.  While the Privacy Rule is focused on protecting the confidentiality of patient health information, the Security Rule focuses on the security and integrity of electronic health information.  Understanding the differences between the two is essential for healthcare providers and organizations that must abide by HIPAA requirements.  In this blog post, we will discuss the basics of the HIPAA Privacy Rule and the Security Rule, highlighting the key differences between them and how the two complement each other.

The Basics of the HIPAA Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information (known as the “Privacy Rule”) sets national standards for safeguarding PHI.  It establishes a series of regulations for covered entities (which includes healthcare providers, health plans, and healthcare clearinghouses) and business associates (such as billing companies, IT service providers, and professional services like law firms and accountants) to ensure the confidentiality of PHI.

The Privacy Rule governs how PHI is used, disclosed, and stored by a covered entity (CE) or business associate (BA).  It also outlines how individuals can access their PHI.  The Privacy Rule sets requirements for how and when a patient’s health information can be shared with other entities and individuals, including family members or caregivers.  This is known as “Authorized Uses and Disclosures.”

Authorized Uses and Disclosures

When using or sharing PHI, an organization is required to obtain the individual’s written authorization, except when the use or disclosure is for treatment, payment, or healthcare operations (“TPO”).  The authorization must be specific and in plain language, including information about the PHI being disclosed, who is disclosing and receiving it, expiration, the right to revoke in writing, and other relevant data.  Examples of disclosures that require authorization include those to life insurers, employers for pre-employment physicals or lab tests, and pharmaceutical firms for marketing purposes.

Right of Access

Individuals generally have the right to access and obtain a copy of their PHI in a CE’s designated record set, with certain exceptions.  The designated record set includes records maintained by or for a CE that are used to make decisions about individuals or that contain medical and billing records for providers or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems.

However, access to certain types of protected health information is excepted, such as psychotherapy notes, information compiled for legal proceedings, laboratory results that are prohibited by the Clinical Laboratory Improvement Act (CLIA), or information held by certain research laboratories.

Notice of Privacy Practices

With a few exceptions, CEs are required to provide a notice of their privacy practices to individuals.  The notice must contain specific elements, such as how the CE may use and disclose protected health information, its duties to protect privacy, individuals’ rights, and a point of contact for further information or to make complaints.  CEs must comply with their notices, and the Privacy Rule outlines specific distribution requirements for direct treatment providers, other healthcare providers, and health plans.  If individuals believe their privacy rights have been violated, they have the right to complain to both the CE and the HHS.  HHS provides detailed guidance on what the Notice of Privacy Practices must contain.

The Basics of the HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”) is a set of standards for the protection of electronically stored or transmitted patient health information, or ePHI.  The Security Rule establishes administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.  Within these safeguards are two different types of implementation specifications: Required and Addressable.

Required Specification

A required specification is a standard that must be implemented by the CE or BA to comply with the Security Rule.  Failure to implement required specifications can result in penalties for non-compliance.  An example of a required specification is the creation and use of a risk management plan.  Check out our article on risk assessments and risk management for more information.

Addressable Specification

An addressable specification, on the other hand, is a standard that allows CEs and BAs to determine the appropriate implementation for their organization based on factors such as size, resources, and risk analysis. CEs and BAs are still required to assess the appropriateness of the addressable specification for their organization and either implement the specification or implement an equivalent alternative measure that achieves the same purpose. An example of an addressable specification is the implementation of a mechanism to create a secure transmission of ePHI, which can be achieved through methods such as encryption or a virtual private network (VPN).

The Key Differences Between the Two

The Privacy Rule and the Security Rule are two different regulations that have been developed to protect the privacy and security of PHI.  While they have similarities (which we discuss in the next section), there are also key differences between the two rules.

The main difference between the two is the scope of their application.  The Privacy Rule applies to all PHI that is created, maintained, or used by any CE or BA.  This includes any PHI that is stored electronically as well as in paper records.  On the other hand, the Security Rule only applies to electronic PHI.  It does not apply to PHI stored in paper records or shared orally.

Another key difference between the two rules is that the Privacy Rule sets out standards for how PHI can be used and disclosed.  These standards govern how a CE or BA must protect patient privacy when they access or use PHI.  The Security Rule, on the other hand, sets out standards for how CEs and BAs must secure PHI.  This includes standards related to administrative, physical, and technical safeguards.  In short, all PHI is covered by the Privacy Rule, but only ePHI is covered by the Security Rule.

How the Two Complement Each Other

Ultimately, both the Privacy Rule and the Security Rule exist to protect PHI in all its forms and ensure that PHI is only used for authorized purposes and disclosed to authorized individuals.  Although they were both part of the original HIPAA legislation in 1996, the two had different compliance deadlines.  The Privacy Rule was enacted in October 2002, while the Security Rule was enacted in April 2003, with a compliance deadline two years later in April 2005.  This was done in order to allow the HHS to publish the detailed requirements and allow CEs to procure the technology infrastructure required to be compliant with the Security Rule.

In conclusion, the Privacy Rule and Security Rule complement each other by establishing standards for the protection of PHI and ensuring compliance with the law.  The Privacy Rule defines the term protected health information and sets strict requirements for the use, disclosure, and storage of PHI.  It also sets requirements for who may access PHI, sets forth a patient’s right to access their medical information, and requires CEs to publish and distribute to their patients a Notice of Privacy Practices.  The Security Rule deals exclusively with electronic PHI and sets many standards and implementation specifications for the proper securing of ePHI.

By ensuring you’re compliant with both Rules, you can ensure your organization is protecting itself and your patients.  Navigating the complexities of these and other rules in HIPAA can be daunting.  At Axeleos, we’re experts at implementing policies, procedures, and practices that will keep your organization compliant with HIPAA.  MedGuard by Axeleos is a service that can assess your organization’s level of compliance and provide remediation assistance.  Contact us today to learn more.