Avoid Security Rule Penalties

, , ,

Most everyone has heard of the Health Insurance Portability and Accountability Acct (HIPAA), but unless your company is in the healthcare industry or is considered a covered business entity, you may not know there are two HIPAA rules – the Privacy Rule and the Security Rule. The Privacy Rule provides national standards for protected health information (PHI) and is the rule with which everyone is familiar. The Security Rule which is lesser-known establishes a national set of security standards for information that is stored or transferred in electronic form. Following it will avoid stiff Security Rule penalties. If the information is transmitted orally or in writing it is not covered by the Security Rule.




According to the U.S. Department of Health & Human Services, the Security Rule “applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA and to their business associates.” (https://tinyurl.com/y8jkal89) Broadly speaking, the HIPAA Security Rule requires the implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical.


To avoid Security Rule penalties, a covered entity under the Rule must:


  • Safeguard the confidentiality, integrity, and accessibility of all electronically protected health information (e-PHI) they generate, receive, support, or transmit.
  • Detect and protect against anticipated risks to the security or integrity of the information.
  • Avoid anticipated uses or disclosures that are not allowed.
  • Ensure their workforce is also in compliance.


Covered entities are required to perform a risk analysis as part of their security management processes. This analysis includes evaluating the possibility of risks and their impacts to ePHI as well as implementing security measures that address the identified risks. The risks and security measures identified must be documented with the rationale for their identification. And, of course, these security protections must be maintained.


In addition to the above requirements, a “security official” must be tasked with developing and implementing policies and procedures. These must include limitations on accessing the e-PHI to only the minimum necessary employees determined by role-based access. There also must be training for all employees who work with e-PHI. Finally, the covered entity must have procedures in place that can assess the security policy’s success.


Additional safeguards that must be in place include limited access and control to the facility and workstation and device security. There must be restrictions on the transfer, removal, disposal, and re-use of electronic media to guarantee the protection of e-PHI. Technical safeguards, including control of access and audits, integrity controls, and transmission restrictions must be in place.


Technical Measures


As mentioned, there are stiff penalties for not following the Security Rule, so always fall on the conservative, or prudent, side. If you are a small business, meeting these requirements can be especially difficult.

According to Insureon, the following technical measures will help protect your networks and devices from data breaches and will go a long way towards meeting the Security Rule requirements:

  • Encrypt sensitive files that your organization sends via email and ensure that any cloud-based platform you use offers encryption.
  • Protect your network from hackers and other cyber thieves with firewalls and intrusion detection and prevention systems.
  • Train your employees to identify and avoid phishing scams.
  • Back up data in case of accidental deletion or changes.
  • Authenticate data transfers to third parties by requiring a password, a two- or three-way handshake, a token, or a callback.
  • Require that employees periodically change their passwords, and ensure passwords contain a mix of letters, numbers, and special characters.
  • Prevent data entry mistakes by using double-keying, checksum, and other redundancy techniques.
  • Keep updated documentation of your organization’s technology and network configurations.

To find out we can help visit our Services.

Are you wondering as to whether your organization is considered a covered entity and is, therefore, subject to the security rule? CMS has an easy to use question and answer tool that will help you determine the answer. You can find it here.