The HIPAA Security Rule: Data Security Compliance For Health Care Providers​

It is becoming increasingly common for healthcare providers and affiliated entities to store protected health information in electronic form. As the healthcare sector becomes more mobile and data-driven, the potential for data security risk and breaches increases. For this reason, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) was designed to secure this information. At O’Connell and Aronowitz, our experienced health law attorneys work with healthcare providers (covered entities) and their ancillary service providers (business associates) to develop procedures and other safeguards to ensure they are in compliance with the HIPAA Security Rule.  We also assist providers and health-related businesses when they have been victims of identity breaches, including criminal cyberattacks and ransomware events.

Electronic Protected Health Information (e-PHI)

The Security Rule is designed to enhance the protection of health information that is covered under the HIPAA Privacy Rule. In particular, information that a covered entity creates, receives, maintains or transmits in electronic form is protected under the Security Rule and is deemed to be “electronic protected health information” or “e-PHI.”  The rule applies to health plans, health care clearinghouses, and any healthcare provider (or “covered entity”) that transmits health information in electronic form. The Security Rule requires covered entities to implement administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of all e-PHI. This information cannot be made available to unauthorized persons, nor be altered or destroyed in an unauthorized manner; it must be accessible and usable on demand by an authorized person. Among the authorized users of e-PHI are often business associates, or service providers to covered entities. In order to achieve these objectives, it is necessary for covered entities and business associates to undertake a Security Risk Analysis to identify potential data security threats and vulnerabilities and take steps to protect against them and to prevent anticipated, impermissible disclosure or use of e-PHI. Similar to the Privacy Rule, the Security Rule also requires appointing a security officer who is responsible for developing and implementing written policies and procedures. Lastly, covered entities must also establish a compliance training program for its employees.

What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health Act (HITECH) was part of the American Recovery and Reinvestment Act of 2009 (ARRA). The law is designed to promote technology and encourage healthcare providers to store patient files electronically. The law essentially expands the responsibilities of healthcare providers and affiliated businesses under the HIPAA Privacy and Security Rules. Lastly, the ARRA offers incentives to healthcare providers to transfer their information into electronic form, but also requires periodic audits and has penalties for noncompliance.

Data Breach and Security Compliance with O’Connell and Aronowitz

At O’Connell and Aronowitz, we work closely with healthcare providers, business associates and other businesses to ensure they are compliant with the Security Rule and other obligations under HIPAA and the HITECH Act. We advise security and compliance officers and in-house legal counsel to prepare comprehensive risk management strategies, written security policies and plans, develop oversight capabilities and work with clients to implement security risk analyses and prepare for and respond to government audits and investigations. While electronically storing e-PHI is designed to improve efficiency and enhance the delivery of healthcare, this critical data must be protected through the implementation of appropriate safeguards to minimize the risk of data loss or corruption and data breaches. Our experienced health law attorneys can advise and guide you through the process of proactively planning to safeguard e-PHI or promptly responding to a data breach so your business can continue to operate without disruption.