The Difference between the Privacy Rule and the Security Rule
HIPAA is a complex and far-reaching regulation that covers both the security and privacy of protected health information (PHI). While they sound similar, Security and Privacy are two distinct functions of HIPAA.
Defining the Terms
Privacy is defined as the right of an individual to keep their PHI confidential. The HIPAA Privacy Rule is focused on controlling who is authorized to access patient information, the conditions in which it may be accessed, and how and when it can be disclosed to a third party.
In a healthcare context, Security is the mechanism used to protect the sanctity and integrity of PHI, which is typically the technical and operational controls a covered entity or business associate should use to protect an individual’s PHI.
The Privacy Rule
The Privacy Rule is focused on protecting the rights of an individual and their ability to control and access their own PHI. It also outlines how medical organizations can use the data for necessary functions such as treatment, operations, and payment. Aside from those uses, the PHI must remain confidential. The Privacy Rule assures that all PHI will be protected from unauthorized disclosure and covers the physical security and confidentiality of PHI in all formats including electronic, paper, and even oral.
The Privacy Rule was intended for the purposes of outlining clear expectations for their healthcare system to only disclose PHI to individuals whom access is deemed an essential function of their role. It also serves to protect an individual and gives them the right of privacy. For example, one cannot call a healthcare provider or business and receive another person’s PHI unless the provider has received the expressed consent of the individual in question. Breaching this privacy, whether intentional or unintentional, can result in fines of up to $1.5 million dollars per year in extreme cases should the Covered Entity (CE) or Business Associate (BA) be found negligent.
The Security Rule
The HIPAA Security Rule is only concerned with the protection of ePHI that is created, received, or used electronically. Covered Entities and Business Associates are required to implement robust physical, technical, and administrative safeguards to protect patient ePHI. Bear in mind that the Security Rule is designed to be flexible and scalable based upon the size and resources of the organization in question, so appropriate safeguards for a small vendor may not be sufficient for a large hospital system. However, the need to implement physical, technical, and administrative safeguards is not flexible. For example, the security needs of a small medical practice will differ drastically in comparison to the needs of a massive cloud-base tele-health company, but both are required to have specific safeguards in place on all fronts.
One other key difference between the Security and Privacy Rule is that the Privacy Rule applies to all forms of patient PHI, whereas the Security Rule only applies to PHI that is in electronic form or ePHI. For example, the Security Rule covers ePHI which can be stored on a computer, transmitted over the internet, and then downloaded onto a jump drive. But the moment the PHI is printed, the Security Rule does not apply to it. In addition, oral forms of PHI are not bound by the requirements of the Security Rule, however, they do need to abide by the requirements of the Privacy Rule. For example, messages left on answering machines, video conference recordings or paper-to-paper faxes are not considered ePHI and do not fall under the requirements of the Security Rule.
The Privacy and Security Rules Today
With the increased circulation of PHI of all forms due to the pandemic and the influx of needs on our healthcare system, there has been a large push to streamline, as well as standardize the ways in which the healthcare system responds to and communicates with patients in how it discloses and distributes their PHI. As discussed, the Privacy Rule centers around the patient’s rights and sets clear expectations that PHI will be handled in a way that only essential individuals have access to your protected health information.
The Security Rule on the other hand lays out a clear framework of best practice and procedures necessary for maintaining HIPAA compliance. Similarly to how the Security Rule looks to standardize the procedures and business practices involved in handling PHI, these proposed changes look to standardize the fees that an organization can charge a patient for access to their PHI as well as decrease the response time on these requests from 30 days to 15 days. All in all, since its inception in 1996, HIPAA has continued to lay the framework for regulating and protecting individual’s rights to their protected health information and ultimately the Privacy Rule and Security work hand-in-hand to achieve these objectives.
Here at Accountable, we provide a holistic administrative solution to ensure that your business is following best practices and maintaining and protecting the rights of your clients outlined in these rules. To learn more about how you can become HIPAA compliant, schedule a call with one of our HIPAA Compliance Specialists today.