HIPAA Privacy and Security Rules – Linked?

Healthcare officials often ask if the Hipaa Privacy and Security Rules are linked?

My stock answer is yes, however further examination is required to fully explain how the two rules work together and the value in referring to both rules in planning and managing a compliance program. Let’s start by reviewing the HIPAA Privacy and Security rules.

Privacy Rule
The Privacy Rule applies to health information in any form or media, whether electronic, paper or oral. Healthcare organizations, called Covered Entities, are required under HIPAA to protect the privacy of a person’s identifiable health information, referred to as Protected Health Information (PHI).

The Privacy Rule was designed to protect all PHI held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule provides patients with the right to receive a notice of privacy, receive a listing of uses and disclosures of their health information, inspect, copy and request amendments to their medical records, file a formal complaint about violations of privacy and establishes criminal and civil penalties for improper use and disclosure.

Security Rule
Unlike the HIPAA Privacy Rule, which applies to PHI in “any form or medium,” the Security Rule covers only PHI that is electronically stored or transmitted by covered entities, called (ePHI). The Security Rule has a broader aim than the confidentiality focus of the Privacy Rule. Although protection against unauthorized use or disclosure is also a core goal, the Security Rule aims at assuring the integrity and availability of ePHI too. As such, the Security Rule addresses issues such as data backup, disaster recovery and emergency operations. The general requirement of the Security Rule can be simply stated: covered entities that “collect, maintain, use or transmit” PHI in electronic form must construct “reasonable and appropriate administrative, physical and technical safeguards” that ensure integrity, availability and confidentiality.

Federal Regulators Intent
A good starting point for examining the linkage between the Privacy and Security Rule begins with those responsible for the development and application of the Rules. The Department of Health and Human Services has stated that, “…in preparing the final Security Rule, the Department is working to ensure the Security Rule requirements for electronic information systems work hand in glove (emphasis added) with any relevant requirements in the Privacy Rule”[1]. Health and Human Services has also stated that, “As many commenters recognized, security and privacy are inextricably linked (emphasis added). The protection of the privacy of information depends in large part on the existence of security measures to protect that information.”[2] To be sure, federal regulators intend for Privacy and Security Rules to work in conjunction with one another.

Privacy and Security “Inextricably Linked”
A careful examination of the two rules shows important intersections that must be considered when managing HIPAA compliance to ensure a cohesive compliance plan.

The Value of a Cohesive Compliance Plan: Easy to Understand and Apply

The goal of any compliance program is to provide guidelines that promote an understanding and compliance with the regulations. Recognizing how Privacy and Security rules work together, gives healthcare compliance officers and management a method for delivering a cohesive compliance plan that is easy to understand and apply. Joint privacy and security functions to coordinate include -

  • Establishing HIPAA policies and procedures for proper use, disclosure and safeguarding of PHI and ePHI
  • Develop and implement ongoing training programs to ensure organization members are aware of and updated on required standards for healthcare privacy and security
  • Document the privacy and security compliance efforts
  • Create methods to communicate new HIPAA regulations and standards to all organization members
  • Establishing a mechanism for receiving, investigating and addressing complaints regarding privacy and/or security practices or actions of the organization
  • Perform regular reviews of compliance efforts of both privacy and security to determine the need to improve the compliance program
  • Formulate a corrective action plan to address any issues of non-compliance with organizations compliance privacy or security policies and standards

Bottom Line
The Department of Health and Human Services has stated that, “…in preparing the final Security Rule, the Department is working to ensure the Security Rule requirements for electronic information systems work hand in glove (emphasis added) with any relevant requirements in the Privacy Rule”

1″Standards for Privacy of Individually Identifiable Health Information, Final Rule.” Federal Register 67 (14 August 2002): 52194

2 “Health Insurance Reform: Security Standards, Final Rule.” Federal Register 68 (20 February 2003): 8335

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us