In combination with the Privacy Rule, the Security Rule institutes guidelines for protecting sensitive patient information, also known as protected health information (PHI). It applies to any organization or business that works with PHI and establishes safeguards for protecting PHI that includes physical, technical, and administrative safeguards:
- Physical safeguards are security measures used to protect the physical access and use of PHI, such as locking doors or limiting access to areas where PHI is stored.
- Technical safeguards are controls that limit access to only authorized users and involve technology such as encryption or passwords.
- Administrative safeguards refer to processes and policies that are put in place to ensure the security of PHI, such as employee training or conducting risk analyses. Organizations must also implement procedures for protecting PHI when it is shared with a third party.
HIPAA violations, such as failing to protect PHI or not having appropriate policies and procedures in place, can result in significant fines and penalties for organizations. It is essential that organizations understand their HIPAA obligations and take steps to ensure they are compliant with the Security Rule.