Both sets of regulations control Protected Health Information (PHI). The privacy regulations set rules for the use and disclosure of patients’ PHI, and apply to all communications, whether electronic, written, or oral. In contrast, the security regulations apply only to PHI stored on or transmitted by electronic media (electronic PHI, or ePHI). Although narrower in that regard, the security regulations have a broader aim than the confidentiality focus of the privacy regulations. While protection against unauthorized use or disclosure is still the core goal, the security regulations also address the integrity and availability of ePHI. To accomplish those goals, the security regulations address such issues as data backup, disaster recovery and emergency operations.

The HIPAA security rules apply to health plans, health care clearinghouses, and health care providers that transmit any PHI in electronic form. Examples include electronic claim submissions (either directly or through a billing clearinghouse), on-line insurance eligibility requests, and emails containing patient information. "Electronic form" means the ePHI is sent either on electronic media or via an electronic transmission. Electronic media refers to digital media like hard drives, floppy disks, CD-ROMs, and removable memory cards. Electronic transmissions include the Internet, leased and dial-up lines, and private networks (whether wired or wireless). Telephone calls and faxes are not considered electronic transmissions and are not covered by the HIPAA security regulations, although all the privacy regulations still apply.

While the security regulations deal with electronic information, they are not just about technical issues. Do not assume that your "IT people" will be able to take care of compliance. Electronic security is a significant component of the final rule package, but it is not the largest or most important part. The best software security package from the most reliable vendor will not be enough to comply with the rules. More than one-third of the requirements under the security regulations call for you to create administrative policies, and you must document every action you take to comply with the security rules. No software package can draft those policies, and many of the decisions involved may be beyond the expertise of your IT personnel. Compliance with the regulations will likely require the input of a broad cross-section of your staff.

The security regulations are divided into three sets of safeguards: administrative, physical, and technical. Each safeguard is subdivided into implementation specifications, which are the actions you must take in order to comply with the regulations. Administrative safeguards are the written policies you will develop to control personnel behavior and provide a framework for accessing and using ePHI. The administrative implementation specifications include creating policies and procedures for risk analysis and management, security training, information access, security incident procedures, and emergency contingency plans.

Physical safeguards are the methods you will use for securing your physical spaces and devices that contain electronic health information. This safeguard contains specifications for creating procedures that control physical access to your facility, access to your computers, and the backup and disposal of electronic devices.

Finally, technical safeguards apply to your information systems and determine how you protect your hardware, software, and networks. Its implementation specifications include computer user authentication, data encryption, and information integrity verification. Many of the actions required under these safeguards will overlap. For example, implementation specifications for access controls are found in all three safeguards. You will create access control procedures for your physical spaces, access control procedures for your networks and computer systems, and administrative policies that establish both.

The implementation specifications under each safeguard are either required or addressable. You must perform required actions in order to achieve full compliance. You may choose to perform addressable actions at your discretion, based on the size and capabilities of your practice, your technical capabilities, the costs involved and the probability of the risks you face. You cannot dismiss the addressable specifications just because you have the freedom to determine their exact implementation. Addressable does not mean optional! The security regulations require you to fully document how and why you make all your implementation decisions, even in cases where you choose not to implement an addressable specification at all.

The security regulations may require you to add new provisions to your business associate agreements. Echoing the privacy regulations, the security regulations require plans and providers to ensure any vendors, contractors, and service providers that access ePHI have policies in place to protect that information. This means that businesses other than health care providers, plans, and systems will have to comply with the regulations. For example, if your practice hires an Internet service provider to maintain your computers or provide your Internet access, your business associate agreement with that ISP must require it to implement policies and procedures to protect your patients’ ePHI.

Assign security responsibility. The security regulations require you to assign a security official to be responsible for both your initial compliance process and your ongoing security efforts. As the security regulations apply to both physical and electronic security, and have extensive requirements for administrative documentation, you need to make sure your official has the all the skills and experience to meet the challenge. You may use teams or committees to assist your security official, but a single designated person must be in charge.

Survey all aspects of your practice that involve ePHI. You cannot take steps to protect your electronic health information until you know all the locations in your business where ePHI resides. The security regulations apply to ePHI located on computers, PDAs, floppy disks, diagnostic equipment and other electronic media and devices. You need to have a clear idea of where your ePHI is and how it moves and is used on a daily basis before you can determine the risks it faces and the methods you will use to protect it.

Start your Risk Assessment process. A comprehensive risk assessment is the first required action under the administrative safeguards. The assessment should catalog all of the risks and vulnerabilities facing your electronic records and systems. This risk assessment provides your basis for determining the level of risk deemed acceptable to your business and will drive your review of policy and procedures, as well as your ultimate security decisions. The risks you identify during this analysis are what you will weigh when you decide whether the addressable actions are applicable to your practice.

With all the other requirements of a busy practice, regulatory compliance can seem an overwhelming (and irritating) burden. The security regulations may require even more time and effort than you spent on the earlier HIPAA privacy regulations. Every compliance decision you make, even if you are deciding not to implement one of the specifications, must be fully and clearly documented. You must create policies and procedures to address a wide variety of safeguards, and your compliance process may require the participation of your vendors, contractors and service providers. Indeed, those business associates may soon come to you and ask you to participate in their compliance process (assuming they have not already). April 20 will be here sooner than you think, and if your practice has not yet started the compliance process, you need to make it one of your highest priorities.