How to secure e-PHI true to the Security Rule under HIPAA

When working for a care provider, it’s important you understand all of HIPAA’s requirements, but many of your responsibilities, as a security professional, reside in the Security Rule.

Security Rule under HIPAA

Whether you work in the healthcare industry or have been reading up on the industry, you’ve probably heard the acronym HIPAA occasionally thrown around. If you watch Grey’s Anatomy, or a similar show, you’ve heard them reference ‘HIPAA violations’. You may have gathered from context that HIPAA is some sort of rule or law that doctors need to follow, and, you’re basically right, but HIPAA is a lot more than just that. As a security professional, you can add a lot of value to your healthcare clients, or open up new verticals, if you can cater products and services to HIPAA compliance.

HIPAA, or the Health Insurance Portability and Accountability Act, is a United States federal law that requires healthcare providers to comply with strict patient data handling practices. It covers everything from where you can talk about patient issues (definitely not in front of other patients) to how you can share patient information electronically. It also puts controls in place to ensure that patient data handling keeps up to pace with shifting risk environments, new security and communication innovations, as well as forces care providers to log actions, events and create reports. For IT and security professionals, one of the most important parts of HIPAA is the Security Rule.

What is HIPAA’s Security Rule?

The main goal under HIPAA’s Security Rule is to ensure health information is gathered, stored and shared securely, confidentially, and while maintaining integrity. It also establishes federal standards to protect patients’ electronic personal health information, or e-PHI. There is a lot to cover under the Security Rule. Today, we’ll just be gaining a high-level understanding of how it addresses security, confidentiality and integrity. Keep in mind HIPAA is federal law, so if the state laws are contrary, HIPAA will still apply.

Security Rule under HIPAA


The Security Rule doesn’t dictate which security measures to follow, but requires care providers consider a few things when making their own security policies and software deployments. Under the Security Rule, entities must consider:

  • Their size, complexity, and capabilities
  • Their technical hardware and software infrastructure
  • The costs of security measures available to them, and
  • The likelihood and possible impact of potential risks to e-PHI when determining their best options.

Care providers are expected to identify and protect against reasonably anticipated security threats, impermissible uses, and impermissible disclosures. Covered entities need to designate a security official responsible for developing and implementing security policies and procedures. It’s also up to care providers to ensure their workforce is compliant with those policies and procedures.

Assessments and documentation are very important under HIPAA to ensure that care providers are in fact secure and compliant with the regulation. A risk assessment is a critical part of not only assessing your environment starting out but continually reframing your environment and data handling processes going forward. The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a helpful tool to guide small and medium sized care providers in their assessment called the HIPAA Security Risk Assessment (SRA) Tool. Risk assessments are required under HIPAA, so this tool can really help entities become and stay compliant.


Confidentiality is a key component of HIPPA, and that means information access management. It’s important that information access management is consistent with the Privacy Rule laid out by HIPAA and that only the authorized personnel have access to e-PHI. To maintain compliance, care providers need to provide appropriate authorization and supervision of any employees who work with e-PHI. These employees must be well trained, and any employees who don’t follow policies and procedures require the appropriate sanctions to deter future violations. The tricky part of confidentiality is that the accessibility to the right people is also important under HIPAA, so finding the balance of accessibility and strict access control is the challenge you, as a security professional, will be solving and constantly evolving.


E-PHI is not only sensitive because it is personal information- it’s also vital, because it is used by care providers’ when making decisions about patient tests and treatments. For this reason, HIPAA’s Security Rule requires entities to implement policies and procedures that ensure this sensitive information isn’t altered or destroyed. In fact, this is the very definition of integrity under HIPAA. Policies and procedures for maintaining e-PHI integrity include electronic measures, as well as oversight of employees who handle this data.

This has been a short overview of some of the ways the Security Rule addresses security, confidentiality, and integrity under HIPAA. Health IT professionals need to gain a full understanding of the compliance requirements therein. I recommend this summary of the rule for a little more in-depth look.


The Health Information Technology for Economic and Clinical Health Act, or HITECH, enacted in 2009 and aimed to promote and expand the adoption of health information technology and electronic health record, or EHR, systems. For the act, the United States Department of Health and Human Services, HHS, set to spend $25.9 billion on the effort. It also delivers four categories of violations that reflect increasing levels of culpability under the Enforcement Interim Final Rule.

To see our security and compliance courses, go to

certified security analyst training

About CyberTraining 365

CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge cybersecurity training including Employee Security Awareness Training, Data Security and Privacy Training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *