I am often asked the difference between HIPAA Privacy and HIPAA Security. Because HIPAA regulations cover both privacy and security, they go hand in hand, yet they are different.

The Privacy Rule

The HIPAA Privacy Rule focuses on the right of an individual to control the use of his or her personal information. It established national standards to protect an individuals medical records. Protected health information (PHI) should not be divulged or used by others against their wishes. The Privacy rule covers the confidentiality and sets limits of PHI in all formats including electronic, paper and oral. Confidentiality is an assurance that the information will be safeguarded from unauthorized disclosure. The physical security of PHI in all formats is an element of the Privacy rule.

The Security Rule

The Security rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (ePHI). Protection of ePHI data from unauthorized access, whether external or internal, stored or in transit, is all part of the security rule. Typically ePHI is stored in:

  • Computer hard drives
  • Magnetic tapes, disks, memory cards
  • Any kind of removable/transportable digital memory media
  • All transmission media used to exchange information such as the Internet, leased lines, dial-up, intranets, and private networks

As a HIPAA consultant, it is sometimes hard to draw a line between privacy and security because they are both so closely related. As an IT company, Tier3MD focuses mainly on the HIPAA security rule, and deals with the technology in your office to make sure it is secure, and that your ePHI is secured.