HIPAA Security Rule
The HIPAA Security Rule specifies safeguards that covered entities and their business associates must employ to protect the secrecy, integrity, and accessibility of ePHI. Covered entities and business associates must implement policies and procedures to protect the ePHI they create, receive, maintain, or transmit. Each entity must examine the risks to ePHI in its environment and make solutions suitable for its own situation.
Specifically, covered entities must:
- Ensure the secrecy, integrity, and accessibility of all ePHI they create, receive, maintain, or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the ePHI
- Protect against reasonably anticipated, forbidden uses or disclosures
- Ensure compliance by their workforce.
The Security Rule does not dictate security measures but requires covered entities to consider all of the following:
- Magnitude, complexity, and capabilities
- Technical, hardware, and software infrastructure
- The costs of security measures
- The likelihood and possible impact of risks to ePHI
Covered entities must review and modify security measures to keep protecting ePHI in a dynamic environment.
Breach Notification rule
The HIPAA Breach Notification Rule needs covered entities to inform affected individuals, HHS, and the media of a breach of unsecured PHI, in some cases. Most notifications must be furnish without unreasonable time lag and no later than 60 days following the discovery of a breach. Notifications of minor breaches touching fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to inform the covered entity of breaches at or by the business associate.