HIPAA Security Rule

The page below is a sample from the LabCE course An Introduction to the Medical Laboratory, Part 3. Access the complete course and earn ASCLS P.A.C.E.-approved continuing education credits by subscribing online.

Learn more about An Introduction to the Medical Laboratory, Part 3 (online CE course)
HIPAA Security Rule

The HIPAA Security Rule went into effect on February 20, 2003. It secures the confidentiality of patients' electronic health data, or electronic protected health information (ePHI).
The Security Rule:
  • Requires reasonable security measures to protect patients' electronic health information
    • E.g., ensuring all data is password-protected
  • Limits the use and disclosure of ePHI
    • E.g., controlling the level of access to the computer system
  • Sets technology standards for ePHI
    • E.g., restricting ePHI to non-personal devices only
The Security Rule requires that a Security Officer or Official is instated. This may be the same person as the Privacy Officer or Official. They are responsible for developing and implementing policies and procedures that help the covered entity remain HIPAA compliant, especially regarding keeping ePHI confidential.
The Security Rule defines ePHI safeguards that ensure electronic patient data is secure. Examples of these safeguards include storing ePHI in cloud-based servers rather than on portable devices, preventing ePHI from being sent via unencrypted email, and creating data backups.