HIPAA Security Rule: Frequently Asked Questions
This information is provided as guidance only. Providers should always consult with their privacy and security officer(s) or an attorney when considering their privacy and security policies.
- Who needs to comply with the Security Rule?
- What does the Security Rule encompass?
- What types of information do I have to keep secure?
- What are the technical safeguards?
- Am I allowed to e-mail patients and other professionals under the Security Rule?
- What are some available options for protecting ePHI sent via e-mail or other means?
- I provide telepractice services via videoconferencing. Does the Security Rule apply to these video sessions?
- Related Resources
Who needs to comply with the Security Rule?
All HIPAA-covered entities and business associates of covered entities must comply with the Security Rule requirements. Find out if you are a covered entity.
What does the Security Rule encompass?
The Security Rule applies only to electronic protected health information (ePHI). This is in contrast to the Privacy Rule which applies to all forms of protected health information, including oral, paper, and electronic.
There are 3 parts of the Security Rule that covered entities must know about:
- Administrative safeguards—includes items such as assigning a security officer and providing training
- Physical safeguards—includes equipment specifications, computer back-ups, and access restriction
- Technical safeguards—addressed in more detail below
More detail about these safeguards can be found in the Security Rule Guidance Material from the US Department of Health and Human Services (HHS).
Each area within the Security Rule includes implementation specifications. Some implementation specifications are required, others are addressable. Addressable means that that the covered entity must implement it if it is reasonable and appropriate, but does not have to implement it if:
- there is an alternative that would accomplish the same purpose, or
- the standard can be met without implementing the specification or an alternative
Note: Addressable does not mean that the specification is optional.
Covered entities must do a risk analysis to determine if an addressable specification should be implemented or if an alternative exists. The results of the risk analysis and any decisions made as a result must be documented.
See also: Health Information Technology for Economics and Clinical Health Act (HITECH)
What types of information do I have to keep secure?
There are different types of data that must be kept secure:
- Data in motion—data moving through a network (e.g., e-mail)
- Data at rest—data that is kept in databases, servers, flash drives, etc.
- Data in use—data that is in the process of being created, retrieved, updated, or deleted
- Data disposed—data that has been discarded
What are the technical safeguards?
Technical safeguards are the "nuts and bolts" of the Security Rule. More in depth information is available on the technical safeguards as they are directly applicable to issues such as e-mailing information to patients. Technical safeguards include:
- Access control
- Audit controls
- Integrity
- Person or entity authentication
- Transmission security
Am I allowed to e-mail patients and other professionals under the Security Rule?
The Security Rule does not prohibit communication via e-mail or other electronic means. Information can be sent over the Internet as long as it is adequately protected. In general, e-mailing information such as appointment reminders is allowable as a part of treatment and does not require authorization under the Privacy Rule. Providers should make sure that the e-mail contains the minimum amount of information needed, should verify the e-mail address, and confirm that the patient wants to receive e-mails. The privacy notice should include language about appointment reminders.
For information that contains PHI, such as e-mails with evaluation or progress reports included or attached, covered entities must do a risk analysis to determine the appropriate way to protect this information. Encryption is not required, but must be considered in the risk analysis. As noted previously, encrypted information that is breached is not subject to the breach notification rule as that information is considered "unusable, unreadable, or indecipherable."
For more discussion of encryption, see the HIPAA Update blog from HCPro.
What are some available options for protecting ePHI sent via e-mail or other means?
There are a number of options for protecting ePHI. Covered entities must analyze their own processes and determine privacy and security risks before selecting the option that best meets their needs. An internet search for terms such as e-mail encryption, digital certificates, e-mail security, and PKI will lead you to more information and potential products.
Learn more about possible options for protecting ePHI.
I provide telepractice services via videoconferencing. Does the Security Rule apply to these video sessions?
Treatment sessions provided via videoconferencing software is not covered by the Security Rule. In the Final Rule, it specifically states "because "paper-to-paper" faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail were not in electronic form before the transmission, those activities are not covered by this rule" (page 8342). If, however, the provider records the session and saves a copy, the saved version would be subject to Security Rule provisions for data at rest. Regardless, the treatment session and all related information and documentation are subject to the Privacy Rule provisions. To ensure the patient’s privacy during treatment sessions, clinicians should consider the use of private networks or encrypted videoconferencing software.
