The Difference between the Privacy Rule and the Security Rule
HIPAA is a complex and far-reaching regulation that covers both the security and privacy of protected health information (PHI). While they sound similar, Security and Privacy are two distinct functions of HIPAA.
Privacy is defined as the right of an individual to keep their PHI confidential. The HIPAA Privacy Rule is focused on controlling who is authorized to access patient information, the conditions it may be accessed, and how and when it can be disclosed to a third party.
In a healthcare context, Security is the mechanism used to protect the sanctity and integrity of PHI, which is typically on technical and operational controls a covered entity or business associate should use to protect an individual’s PHI.
The Privacy Rule
The Privacy rule is focused on protecting the rights of an individual and their ability to control and access their own PHI. It also outlines how medical organizations can use the data for necessary functions such as treatment, operations, and payment. Aside from those uses, the PHI must remain confidential. The Privacy Rule assures that all PHI will be protected from unauthorized disclosure and covers the physical security and confidentiality of PHI in all formats including electronic, paper, and even oral.
The Security Rule
The HIPAA Security Rule is only concerned with the protection of ePHI that is created, received, or used electronically. Covered Entities and Business Associates are required to implement robust physical, technical, and administrative safeguards to protect patient ePHI. Bear in mind that the Security Rule is designed to be flexible and scalable based upon the size and resources of the organization in question, so appropriate safeguards for a small vendor may not be sufficient for a large hospital system. However, the need to implement physical, technical, and administrative safeguards is not flexible.
As you can see, the Security Rule provides far more detailed and comprehensive security requirements than the Privacy Rule. As part of the HIPAA compliance initiatives, an organization is required to conduct a risk assessment to determine the appropriateness of security measures.
One other key difference between the Security and Privacy rule is that the Privacy Rule applies to all forms of patients PHI, whereas the Security Rule only applies to PHI that is in electronic form. For example, the Security rule covers ePHI can be stored on a computer, transmitted over the internet, and then downloaded onto a jumpdrive. But the moment the PHI is printed, the Security Rule does not apply to it.