hipaa privacy security
Robert Godard
Listen to: "HIPAA Privacy Rule vs. Security Rule"

HIPAA is an integral part of any healthcare business; if you collect, store or use patient information, you are required by law to comply. HIPPA requirements continue to evolve, often changing to enhance efficiency and to better protect sensitive patient health information from ever-evolving threats.

HIPAA launched in 1996, when workplace technology was far less sophisticated than it is now – and paper files were the accepted form for medical records. Cybercrime was in its infancy and identify theft was very rare. Because of this, policies and best practices have been updated regularly; regular updates allow HIPAA to keep up with the times and with threats as they emerge.

Today, HIPAA has two different requirements for covered entities; one defines the way that private patient data is to be handled and outlines provider responsibilities; the other outlines how that protection should be accomplished. Understanding these key components and what entities are required to comply can prevent costly errors and compliance issues.

What are Covered Entities?

Covered entities refers to the businesses and organizations that are required to comply with HIPPA rules, both the original law and all updates that have emerged in the last three decades. A covered entity is any practitioner that handles electronic patient health data, including:

  • Providers and practices
  • Healthcare plans and insurers
  • Hospitals, nursing homes and other medical facilities
  • Healthcare clearinghouses
  • Research facilities
  • Government facilities

These original entities were expanded in 2013, when the Health Information Technology for Economic and Clinical Health was passed. This new rule, referred to as the Omnibus Rule, expands HIPAA coverage to include businesses, attorneys, data facilities, cloud providers, SaaS brands and MSP/IT contractors.

Privacy vs. Security Rules

Since HIPAA is designed to protect both data and patient privacy, it needs to outline specific and easily understood guidelines for each of these areas. Both privacy and security are essential and they differ in several key ways.

Privacy Rules

This portion of HIPAA is designed to protect PHI and private data. The privacy rule also details the patient’s rights when it comes to PHI and outlines what covered entities are required to do to protect these crucial details. This part of HIPAA clearly defines how PHI can be used, distributed and shared.

Learn more about the HIPAA Privacy Rule here.

Security Rules

These rules define how data can be collected and how it must be protected. PHI can be exposed in a variety of ways, from a network breach to an actual physical attack on a system. Because of this, security roles clearly define each aspect of protection and the role entities must take to safeguard data. Security rules cover the following areas:

  • Access, including the people and entities that can read, modify, access or add to data. Files, applications, networks and more are covered. Anyone accessing systems must do so with unique credentials and via data encrypted access.
  • Authentication controls that verify identity and access before permitting a user to use PHI
  • Auditing controls, which monitor and allow for the analysis of access and data disclosure.
  • Integrity controls, which ensure accuracy and prevent records from being deleted or tampered with.
  • Physical security restricts access to systems and workstations, physical systems and even environmental and safety controls that protect both the facility and the data.
  • Workstation and device controls: When hardware or devices are being replaced or decommissioned, they must be disposed of in a way that protects patient privacy.
  • Contingency measures and rules for backups, cloud storage and data restoration after an emergency.
  • Security management controls make up the bulk of HIPAA security rules and detail how data is to be stored, safeguarded, accessed and more with specific requirements and measures

Learn more about the HIPAA Security Rule here.

What Happens if you do not Comply?

Any covered entity is required to restrict access to protected health information (PHI). These security measures can include physical, technical and logistic barriers designed to protect both the data itself and the privacy of patients.

Covered Entities are required to take steps to protect the data they collect and use; each brand is different, so compliance may look different from one organization to another. Failing to comply with HIPAA rules or failing to accurately assess risk and take reasonable precautions could result in sanctions for both the practice and individuals.

As of 2019, penalties include civil suits and the potential for criminal liability. Accidental offenses are handled differently from those that exploit PHI for personal gain or malicious reasons. A criminal offense could result in years of imprisonment and hefty fines. Even for those practices that do not willingly expose data, there are consequences; both fines and reputation damage impact an organization’s ability to serve and perform as usual.

Taking the time to learn about the latest changes to HIPAA policies, understanding the differences between Privacy and Security Rules and taking a proactive approach to PHI protection can help protect your organization from outside harm and ensure you do not run afoul of the law.

Covered Entities are required to take steps to protect the data they collect and use; each brand is different, so compliance may look different from one organization to another. Failing to comply with HIPAA rules or failing to accurately assess risk and take reasonable precautions could result in sanctions for both the practice and individuals.

Get Help with HIPAA

You don’t have to do everything alone. Working with a team that offers custom HIPAA solutions and a robust lineup of compliance initiatives allows you to protect your brand and focus on what you do best — serving your patients and community. Get in touch today to discover how easy it is to get the peace of mind that comes from knowing your PHI is secure and that you are not risking civil or even criminal penalties. Send us a message or call us at 215-675-1400 to learn more about HIPAA compliance services.

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal