Comparing HIPAA’s Privacy and Security Rules

View all blog posts under Articles | View all blog posts under Online Master's in Health Law and Policy

The digital era has brought opportunities and challenges for medical organizations. Storing patients’ protected health information in digital form makes that content visible and accessible to all professionals who need it for care coordination. Keeping PHI in such a format, however, raises the threat of data breaches and the need to maintain privacy.

Patient data displayed on a tablet

Today’s health care organizations require professionals to understand the Health Information Portability and Accountability Act, frequently checking their data safeguards against the privacy and security standards mandated by the law. In the event of a breach or failed inspection, providers found to be in violation of the act may suffer fines and reputation damage that could seriously impact their continued operations.

The fines associated with HIPAA breaches can reach millions of dollars, with a 2018 announcement from the Department of Health and Human Services (HHS) revealing that when an insufficiently safe organization was breached multiple times, it had to pay $3.5 million and enter a corrective action plan. The HIPAA regulations that lead to these fines are divided into Privacy Rules and Security Rules.

Privacy and Security Rules

Medical practitioners and administrators should understand the HIPAA Privacy and Security Rules, which make up the two main components of the law. These regulations cover the responsibilities care providers take on when handling their patients’ data. While the Privacy Rule addresses many types of data and disclosure, the Security Rule has a more digital focus.

HIPAA has existed for more than two decades, which has given organizations time to get in compliance with its rules. While periodic updates happen to account for technological developments, the rules are designed to incorporate new deployments and policies. Leaders and their compliance teams must make frequent checks to ensure their present operations are in line with the law.

What is the HIPAA Privacy Rule?

The Privacy Rule exists to ensure that one of the primary benefits of digital medical records — ease of data exchange — does not come at the expense of data exposure. HHS emphasizes in its HIPAA Privacy Rule summary that the details around privacy are flexible in their application so the standards can fit every type of health care.

The privacy rules cover every organization that deals with health information, from care providers, health plans and information clearinghouses to business associates who work with medical organizations. When covered entities hire third-party contractors to work with PHI, the agreement with the outside person or group must include language ensuring data protection.

The data protected by the privacy rule is “individually identifiable health information.” While HIPAA was created with the digital era in mind, it covers any and all disclosure of the data, whether content is disseminated digitally, transferred on paper or merely spoken aloud. De-identified health information, which cannot be connected to an individual patient, is not covered under the privacy rules because, by its definition, it does not threaten individuals with exposure.

HIPAA Privacy Rule checklist

The following are the general precautions health care providers must take to maintain privacy rule compliance:

  • Notify patients about the ways their information can be used under HIPAA
  • Institute privacy protocols that will eliminate unnecessary use or transmission of privileged data
  • Secure all patient records that contain identifiable information
  • Train employees to ensure they understand their role in keeping data private
  • Designate an overseer who will maintain compliance with the rules

What is the HIPAA Security Rule?

The Security Rule is largely concerned with the use of technology to store, access and transfer health care information. Health care providers must defend their technology against potential data breaches, even as systems become more convenient and accessible for their users. The regulation is similar in intent to the Privacy Rule, as ideally it will prevent the disclosure of PHI.

The Security Rule applies to every entity that handles PHI electronically, from providers and plans to clearinghouses. An expansion of the rule, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the extent to which business associates that deal with health care information must protect their content.

Only electronic health data is protected under the Security Rule. This means the regulation encompasses fewer records than the Privacy Rule. The rule applies whether a particular organization is entering new data into a digital record, transmitting it, storing it or otherwise accessing it.

HIPAA Security Rule checklist

The main responsibilities of entities under the Security Rule involve both the technologies implemented to protect content and the physical barriers that could prevent improper data access. The following actions are necessary for compliance:

  • Ensure all electronic patient data created, received, maintained or transmitted by the company is safe.
  • Identify threats that might reasonably compromise data and defend against those risks.
  • Anticipate and prevent impermissible use of the data.
  • Ensure employees understand the rule and are prepared to comply.

Learning about health data regulations

Organizations in or connected to the health care industry need team members who understand the elements of HIPAA. This is one reason to study for a related degree, such as a Master of Arts or a Master of Laws in Health Law and Policy. The specialized curriculum encompasses the many rules and regulations governing today’s fast-moving and tech-enabled health care sector.

The constant evolution of technology has brought on new legal developments to keep up with the pace of change, with the 2009 HITECH Act being one of the most recent examples. Earning a master’s in health law and policy can grant professionals in the field knowledge of the legal landscape as it affects modern care providers, potentially helping these organizations stay in compliance.

It’s possible to study for a master’s in health law and policy online with Hofstra Law, fitting the courses into a busy full-time schedule. In this program, students learn about the way Medicare, Medicaid, the Affordable Care Act and more impact health care operations today, in addition to the many rules associated with HIPAA. This knowledge can aid professionals at organizations that handle patient data in any form. Learn more about the online Master of Arts or Master of Laws in Health Law and Policy programs at Hofstra Law.



Recommended Readings:

What you can learn from Hofstra Law about the Americans with Disabilities Act

Top health law and policy skills relevant for any career in the industry



U.S. Department of Health And Human Services – Summary of the HIPAA Security Rule

U.S. Department of Health And Human Services – Summary of the HIPAA Privacy Rule

U.S. Department of Health and Human Services – Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules

U.S. Department of Health and Human Services – Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?