The Health Insurance Portability and Accountability Act (HIPAA) Security Rule provisions have become some of the most well-known compliance mandates for HIPAA, and for good reason as these very security rules outline best practices for information security. From requiring that Covered Entities (CE) and Business Associates (CA) undertake annual risk assessment procedures, to implementing strict access controls – and much more – the HIPAA Security Rule provisions are seen as vast and comprehensive. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
Scope of HIPAA Security Rule
According to the Department of Health and Human Services (www.hhs.gov) the HIPAA Security Rule “…establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
Specifically, the Security Rule provisions consist of the following Part 164, Subpart C safeguards:
- 164.302: Applicability
- 164.304: Definitions
- 164.306: Security standards: General rules
- 164.308: Administrative Safeguards
- 164.310: Physical Safeguards
- 164.312: Technical Safeguards
- 164.314: Organizational Requirements
- 164.316: Policies and Procedures and Documentation Requirements
- 164.318: Compliance dates for initial implementation of security standards
The HIPAA Security Rules, specifically 164.308 – 164.316, are often the main emphasis for the large and growing number of HIPAA compliance assessments being undertaken today by healthcare organizations deemed Covered Entities (CE) and Business Associates (BA). Because of this, a HIPAA Security Rule Checklist and Readiness Assessment is a helpful document for examining each of the respective areas (164.308 – 164.316) for determining organizational policies, procedures, processes and practices in place, and ultimately, compliance.
Download HIPAA Policies and Toolkits Today
The Final Rule on the actual Security Standards for HIPAA was effectively issued on February 20, 2003, thus taking effect on April 21, 2003, and with a compliance date of April 21, 2005 for “most” covered entities and year later (i.e., April 21, 2006) for "small plans". The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). Visit the Department of Health and Human Services (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/) to learn more about the HIPAA Security Rule.
Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.