On February 20, 2003, the Department of Health and Human Services (HHS) released final HIPAA Security Regulations which establish a minimum standard for security of electronic Protected Health Information (ePHI). The standards require that basic safeguards be implemented to protect ePHI from unauthorized access, alteration, deletion, or transmission. With the exception of small health plans, Covered Entities are required to comply by April 20, 2005. Small health plans (a health plan with annual receipts of $5 million or less) have an additional year to comply.
The HIPAA Privacy Regulations govern a) who may access Protected Health Information (PHI) and b) how PHI may be used and disclosed. The HIPAA Privacy Regulations govern PHI that is oral, electronic, or written.
In contrast, the HIPAA Security Regulations set forth administrative, physical, or technical security standards that are intended to ensure that only those individuals who should have access to ePHI have access. The HIPAA Security Regulations only govern ePHI and require that security measures be in place to protect ePHI.
