What is the HIPAA Security Rule?

The HIPAA Security Rule is a set of regulations issued by the U.S. Department of Health and Human Services (HHS) that establish national standards for protecting electronic personal health information (ePHI). The Security Rule was created under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, and it applies to covered entities such as health plans, healthcare providers, and healthcare clearinghouses that transmit or maintain ePHI.

The Security Rule establishes specific requirements for covered entities to ensure the confidentiality, integrity, and availability of ePHI. Covered entities are required to conduct a risk analysis to identify potential risks and vulnerabilities to the security of ePHI, and to implement reasonable and appropriate administrative, physical, and technical safeguards to address those risks.

The Security Rule also requires covered entities to implement policies and procedures to ensure workforce compliance with the Security Rule, including workforce training, sanctions for non-compliance, and periodic reviews of security policies and procedures. Penalties for covered entities that fail to comply with requirements include fines and other enforcement actions by HHS.