In this post we are going to talk about Security 101 for Covered Entities. We start a series of posts with this post. This series of posts is called the HIPAA Series.

The series will contain seven post:

  1. Security 101 for Covered Entities
  2. Security Standards: Administrative Safeguards
  3. Security Standards: Physical Safeguards
  4. Security Standards: technical Safeguards
  5. Security Standards- Organizational, Policies and Procedures and Documentation Requirements
  6. Basics of Risk Analysis and Risk Management
  7. Implementation for the Small Provider

But this series also has two spin offs. We suggest that if you do not have basic information about HIPAA, before starting this series, first read the following two posts:

But now security 101 for covered entities.



This article is a summary from of the website. With the following link:

Security 101 for Covered Entities

For more info please refer to



Administrative Simplification 

The Department of Health and Human Services (HHS) has published rules implementing a number of provisions, including:

  • National identifier requirements for employers, providers, and health plans: The Employer Identification Number (EIN), issued by the Internal Revenue Service (IRS), was selected as the identifier for employers. The National Provider Identifier (NPI) was adopted as the standard unique health identifier for health care providers. The health plan identifier rule is expected in the coming years.
  • Electronic Transactions and Code Sets Rule: All covered entities should have been in compliance with the electronic transactions and code sets standard formats as of October 16, 2003.
  • Privacy Rule: The deadline for compliance with privacy requirements that govern the use and disclosure of protected health information (PHI).
  • Security Rule: The provisions of the Security Rule apply to electronic protected health information (EPHI).



Who Must Comply? 

The standards, requirements, and implementation specifications of HIPAA apply to the following covered entities:

  1. Covered Health Care Providers: Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
  2. Health Plans: Any individual or group plan that provides or pays the cost of health care.
  3. Health Care Clearinghouses: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa.
  4. Medicare Prescription Drug Card Sponsors: A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act.



The Privacy Rule vs Security Rule

The Privacy Rule sets the standards for who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to EPHI will actually have access.

The Privacy Rule requires covered entities to have in place appropriate administrative, physical, and technical safeguards.

As a result, covered entities that have implemented the Privacy Rule requirements in their organizations may find that they have already taken some of the measures necessary to comply with the Security Rule.

The primary distinctions between the two rules follow:

  • The Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form.
  • The Security Rule provides for far more comprehensive security requirements than Privacy Rule and includes a level of detail not provided in that section.



“Safeguard” requirement in Privacy Rule 

1- Standard: A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

2- Implementation specification:

  • A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
  • A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.


Implementation Specifications 

An “implementation specification” is an additional detailed instruction for implementing a particular standard. Each set of safeguards is comprised of a number of standards, which, in turn, are generally comprised of a number of implementation specifications that are either required or addressable.

  • If an implementation specification is required: the covered entity must implement policies and/or procedures that meet what the implementation specification requires.
  • If an implementation specification is addressable: then the covered entity must assess whether it is a reasonable and appropriate safeguard in the entity’s environment. For each of these implementation specifications, a covered entity must implement the specification if reasonable and appropriate.

But if implementing the specification is not reasonable and appropriate, then:

  1. Document the rationale supporting the decision and
  2. Implement an equivalent measure that is reasonable and appropriate and that would accomplish the same purpose or
  3. Not implement the addressable implementation specification or an equivalent alternative measure, if the standard could still be met and implementing the specification or an alternative would not be reasonable or appropriate.



Overview of the Process 

In order to comply with the Security Rule, all covered entities should use the same basic approach. The process should, at a minimum, require covered entities to:

  1. Assess current security, risks, and gaps.
  2. Develop an implementation plan.
  3. Implement solutions.
  4. Document decisions.
  5. Reassess periodically.


Develop an Implementation Plan 

  • Reading the Security Rule: A covered entity should review all the standards and implementation specifications.
  • Reviewing the addressable implementation specifications: For each addressable implementation specification, a covered entity must determine if the implementation specification is reasonable and appropriate in its environment.
  • Determining security measures: A covered entity may use any security measures that allow it to reasonably and appropriately implement the standards and implementation specifications.



Security Standards 

The security standards include following categories:

  • Administrative: These include assignment or delegation of security responsibility to an individual and security training requirements.
  • Physical: These are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion.
  • Technical: They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.






This article is a summary from of the website. With the following link:

Security 101 for Covered Entities

For more info please refer to