HIPAA Security Rule

Citation
HIPAA Security Rule

Overview
The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). Although FISMA applies to all federal agencies and all information types, only a subset of agencies are subject to the HIPAA Security Rule based on their functions and use of EPHI. All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities:


 * Covered Healthcare Providers—Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which the Department of Health and Human Services (DHHS) has adopted a standard.
 * Health Plans—Any individual or group plan that provides, or pays the cost of, medical care, including certain specifically listed governmental programs (e.g., a health insurance issuer and the Medicare and Medicaid programs).
 * Healthcare Clearinghouses—A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa.
 * Medicare Prescription Drug Card Sponsors –A nongovernmental entity that offered an endorsed discount drug program under the Medicare Modernization Act. This fourth category of “covered entity” remained in effect until the drug card program ended in 2006.

Source
NIST Special Publication 800-66, at vii.