The HIPAA Privacy Rule was enacted in 1996 to create protection standards for patients in the United States. While the Privacy Rule pertains to all protected health information, including paper and electronic, the Security Rule pertains specifically to electronic protected health information.

The Security Rule became effective in 2005 to establish national standards for the protection of individuals’ electronic personal health information (ePHI). The Security Rule applies to all health providers and covered entities that create, use, maintain, or transmit ePHI. The Security Rule requires physical, administrative, and technical safeguards to make sure the security and confidentiality of ePHI.

There’s a variety of potential threats and vulnerabilities that could leave ePHI at risk for disclosure, including:

• Cybercriminals and displeased employees
• Employee mistakes and mishandling
• System outages
• Disasters, natural and man-made
• Portable device theft or loss

As a healthcare provider or covered entity, you must follow these important steps to protect ePHI:

Conduct a Risk Analysis

Conduct a complete risk analysis to identify all electronic personal health information, determine the risks and vulnerabilities to that information, and then document your current safeguards.

Mitigate the Risks

Develop a plan to mitigate risks to ePHI, then implement the safeguards from the plan into your current safeguards and business processes.

Update Policies and Procedures

Update your policies and procedures to make sure compliance with the HIPAA Security Rule at all times.