HIPAA Security vs. Privacy: What's the Difference?

On average, the global cost of a data breach in 2023 is about 4.45 million USD. This number is actually a 15% increase since 2020. Ensuring the security of protected health information (PHI) can shield your company from financial losses, as well as losing the trust of your clients.

Luckily, we have the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a federal regulation that protects the privacy and security of PHI. No matter what type of media the information is on, such as on a computer or paper, your company must adhere to HIPAA rules and regulations to protect it.

So how do you go about upholding these guidelines to protect all of this information? Why, through the HIPAA Privacy and Security Rules of course! These terms may sound interchangeable, but don’t let them fool you! They both have their own distinct roles to play when it comes to HIPAA as a whole.

For example, the HIPAA Privacy Rule covers PHI in any medium. The HIPAA Security Rule covers electronically protected health information (ePHI) specifically.

What is PHI & ePHI?

Let’s start by discussing some of the basic terms you are about to hear me say over and over throughout this blog. Protected Health Information (PHI) is any patient information when in the possession of a covered entity. A covered entity is anyone who performs healthcare operations, such as providing treatment or collecting payments.

This information relates to:

• The individual’s past, present, or future physical or mental health.
• The provision of healthcare to the individual.
• Past, present, or future payment for healthcare provided.

PHI also includes anything that identifies the individual. This could be their name, birthdate, home address, etc.

Electronic Protected Health Information (ePHI) includes what a covered entity creates, receives, maintains, or transmits in electronic form. Mediums such as emails, texts, and so on. Now that you have a better idea of what these terms mean, let’s go over how they apply to HIPAA. More specifically, the Security & Privacy Rules.

The HIPAA Privacy Rule

The HIPAA Privacy Rule’s role in keeping information safe is an essential pillar which all health organizations and their business associates must uphold. Not only does it protect individually identifiable health information, but it allows patients to understand and control the use of their health information.

HIPAA Privacy Rule requirements:

• Apply to most healthcare facilities and providers. Including those who don’t have electronic health records (EHR). As well as those who do not participate in a Centers for Medicare and Medicaid Services EHR incentive program.
• Protect sensitive health information by setting a federal floor to do so across all mediums.
• Limits how healthcare providers may use PHI and ePHI they receive or create.
• Gives rights to patients when it comes to their PHI. This includes a right to look over and obtain a copy of their medical records. Also, the right to ask to amend their record if the information is inaccurate.
• Enforces requirements for administrative teams including training of employees.
• Establishes civil penalties.

The tenets of the Privacy rule are:

• You may use or disclose PHI for treatment, payment, and healthcare operations without a patient’s written permission. However, you may need to obtain an individual's authorization to use or disclose their PHI for other purposes, such as marketing.
• Agreements with any of your business associates that handle PHI must explicitly require them to comply with HIPAA. This includes breach notification requirements.
• You must only use PHI to complete a necessary action. In other words, limit your access, use, and disclosure of PHI to the minimum extent necessary to carry out your job.

Patients' Rights and Your Responsibilities

As I said before, patients have the right to access their information at any time. As a covered entity you have the responsibility to the patient under the HIPAA Privacy Rule to respect these rights.

For example, under the Privacy Rule, covered entities must ensure patients understand how they use and disclose their PHI. Giving patients a Notice of Privacy Practices that explains how they use their information accomplishes this. This notice should also cover a patient's legal rights with respect to their PHI and the covered entity’s legal duties.

Patients also have the right to review and obtain a copy of their medical records held by either covered entities or business associates. It is the general rule that healthcare providers have to provide patient’s their medical records within 30 days of a filed request.

Quick side note, a business associate is an organization or entity that performs certain functions which involve the use of PHI on behalf of a covered entity. An example of a business associate might be a healthcare clearinghouse that handles a provider’s claims before sending them to a payer.

Another patient right that covered entities must honor is the right to request a revision of their PHI. If a patient requests this, the covered entity must make a reasonable effort to provide the alteration. If they deny the request, the covered entity must provide the patient with a written denial. The patient can then decide to submit a statement of disagreement for inclusion in the record.

Individuals also hold the right to receive an accounting of disclosures. Also to be able to request the restriction of the use or disclosure of their PHI. Note that a covered entity is not obligated to agree to a restriction request, however, there must be a procedure in place to evaluate these requests. If they accept the restriction request, the provider must agree to the set terms, except for the purposes of treating a patient in an emergency situation.

The HIPAA Security Rule

Now that you know a little more about the HIPAA Privacy Rule, let’s move on to look at the Security rule and see how it differs. The HIPAA Security rule has the same basic idea in that it helps to protect patients’ health information. However, this rule covers e-PHI only. All electronic information created, received, used, or maintained by a covered entity falls under the Security Rule.

Security measures implemented through administrative, physical, and technical safeguards help to ensure the integrity and confidentiality of ePHI. Let’s look into these practices which can help you avoid some of the more common security gaps that lead to data loss and security breaches.

Administrative Safeguards

Administrative safeguards create the standards and regulations for your healthcare information security program which include:

• Security management processes. These identify and analyze risks to e-PHI as well as implement security measures to limit risks.
• Staff training. Ensures the knowledge and compliance of your policies standards.
• Information access management. It is important to limit access to e-PHI, which helps to protect health information.
• Contingency plan. To be able to respond to emergency situations efficiently or restore lost data.

Physical Safeguards

Physical safeguards control physical access to things such as computer systems, phones, or your office in general. Some required physical safeguards include:

• Facility access controls. These controls might include alarms, locks, or security cameras. This ensures that only authorized personnel have access to facilities that contain sensitive information.
• Workstation security measures. Cable locks and computer monitor privacy filters are two tools that guard against theft and unauthorized access.
• Workstation policies. These ensure proper access to and use of employees’ workstations.

Technical Safeguards

Technical safeguards might include things such as hardware, software, and other technology that help limit access to e-PHI. Some required technical safeguards include:

• Access controls. These help restrict access to PHI, allowing authorized personnel only.
• Audit controls. Monitor activity on systems that contain e-PHI, like an electronic health record system.
• Integrity controls. Prevent improper e-PHI alteration or destruction.
• Transmission security measures. Protect e-PHI when transmitted over any electronic network.

Who Must Comply with HIPAA Rules?

Healthcare providers must adhere to HIPAA rules.

Professionals including doctors, clinics, hospitals, nursing homes, and pharmacies are some of the covered entities that readily come to mind. Health plans and healthcare clearinghouses are some of the less obvious, but just as important, professionals that must comply with these rules, too.

Essentially, to keep it simple, if you perform certain functions or actions that involve the use or disclosure of PHI or ePHI, you need to follow HIPAA rules and guidelines.

Conclusion

Although it is impossible to guarantee you will never be a victim of a data breach, by following the proper guidelines you can reduce the risk drastically. Any healthcare facility that handles PHI or e-PHI is responsible for complying with HIPAA Privacy AND Security Rules.

Taking the time to monitor the security of patients’ sensitive information is essential. Having a security process in place, along with a contingency plan, can save you from both data and financial losses.