Why is the HIPAA Security Rule needed and what is the purpose of the security standards?


In enacting HIPAA, Congress mandated the establishment of Federal standards for the security of electronic protected health information (e-PHI). The purpose of the Security Rule is to ensure that every covered entity has implemented safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. Standards for security are needed because there is a growth in the exchange of protected health information between covered entities as well as non-covered entities. The standards mandated in the Security Rule protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans. The Security Rule establishes a Federal floor of standards to ensure the availability, confidentiality and integrity of e-PHI. State laws which provide more stringent standards will continue to apply over and above the new Federal security standards.

Health care providers, health plans and their business associates have a strong tradition of safeguarding private health information. However, in today’s world, the old system of paper records in locked filing cabinets is not enough. With information broadly held and transmitted electronically, the Rule provides clear standards for the protection of e-PHI.

Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013