What Does the HIPAA Security Rule Cover?
The HIPAA Security Rule covers a subset of individually identifiable health information protected by the Privacy Rule and it applies when Protected Health Information is created, received, stored, or transmitted electronically. In such circumstances, the subset of information covered by the HIPAA Security Rule is referred to as electronic Protected Health Information or ePHI.
Prior to HIPAA being passed in 1996, concerns were raised that the cost of reforming the health insurance industry would be passed onto employers and employees in the form of higher premiums. As health insurance premiums are tax deductible, this would impact federal tax revenues. To help neutralize the cost of the reforms, Congress added a second title to the Act.
Most of Title II of HIPAA addresses fraud and abuse against federal health programs. However, Subtitle F of Title II aims “to improve the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards for the electronic transmission of certain health information” (42 USC §1320d).
At the time, it was estimated there were more than 400 sets of codes being used for healthcare transactions such as eligibility checks, authorizations, claims, and remittances. It was thought that a single health information system with standard healthcare transaction codes would simplify the administration of healthcare transactions and reduce health insurers’ costs.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Administrative Simplification Regulations
To achieve a single health information system with standard healthcare transaction codes, Congress instructed the Secretary for Health and Human Services (HHS) to adopt standards for ten types of transactions and the data elements used in the transactions. The Secretary was also instructed to adopt security standards to safeguard health information maintained or transmitted electronically.
These two instructions led to the publication of the “Standards for Electronic Transactions” in August 2000 and the “Security Rule Standards” in February 2003. Originally, the two sets of standards were intended to be included in the Public Health Code, and the HIPAA Security Rule covered only individually identifiable health information used in electronic transactions.
However, in a separate section of Subtitle F, the Secretary is instructed to submit “recommendations with respect to [the] privacy of certain health information”. The recommendations had to address the rights of individuals with respect to their health information, how those rights should be exercised, and “the uses and disclosures of such information that should be authorized or required”.
At the time, Congress had a number of Privacy Acts under consideration following the collapse of the Clinton Health Plan. For this reason, the section states that if Congress did not pass privacy legislation within three years, HHS was to adopt the recommendations and apply them to the entities covered by the Standards for Electronic Transactions and Security Rule Standards.
Congress did not pass privacy legislation within its own timeframe, and the recommendations were adopted as the HIPAA Privacy Rule. The Standards for Electronic Transactions, the Security Rule Standards, and the HIPAA Privacy Rule were combined into a new Subchapter of the Public Welfare Code and given the combined title of the HIPAA Administrative Simplification Regulations.
How This Changed What Does the HIPAA Security Rule Cover
In the context of the question of what does the HIPAA Security Rule cover, the combining of the HIPAA Privacy Rule, the Standards for Electronic Transactions, and the Security Rule Standards is significant. Whereas originally the HIPAA Security Rule covered only “electronic health care information” used in covered transactions, the HIPAA Privacy Rule introduced a new category of health information – Protected Health Information.
The difference between electronic health care information and Protected Health Information is that electronic health care information only included information about an individual’s health condition, treatment for the condition, or payment for the treatment. Protected Health Information also includes any non-health information that could be used to identify the subject of the health care information when it is maintained in the same designated record set.
Although the difference is subtle, it means that electronic Protected Health Information that would not have been covered by the original Security Rule Standards is now covered by the HIPAA Security Rule. For example, identifiers such as a patient’s email address, fingerprints, and vehicle license plate number are not disclosed in healthcare transactions, so would not have been covered by the original Security Rule Standards.
However, as these identifiers now qualify as Protected Health Information when they are maintained in the same designated record set as individually identifiable health information, they now qualify as electronic Protected Health Information – and are covered by the HIPAA Security Rule – when these identifiers are collected, received, maintained, or transmitted electronically for any purpose by a HIPAA covered entity or business associate.
