Privacy vs security

June 3, 2005

My practice is fully compliant with the privacy rule, but now I'm receiving solicitations from consultants who want to come in and assess our compliance with the new security rule. Can you explain the difference between these two parts of HIPAA?

Q: My practice is fully compliant with the privacy rule, but now I'm receiving solicitations from consultants who want to come in and assess our compliance with the new security rule. Can you explain the difference between these two parts of HIPAA?

A: Think of the HIPAA privacy rule as determining which health information should be afforded privacy protections, who should have access to it, and how it should be controlled. It's the broadest of the HIPAA rules, since it covers medical information in any form.

The security rule, on the other hand, pertains only to medical information that's stored or transmitted electronically. Unlike the privacy rule, it defines the administrative, physical, and technical safeguards that doctors, among others, must put into place to protect restricted information. (These safeguards extend to personal computers, PDAs and other handheld devices, but not to conventional fax machines or voice mail.) If you store medical information in your office computer, for example, you must institute the proper safeguards, so that only authorized persons have access to it.

The common purpose of both the security and privacy rules is to protect medical confidentiality-a catchall term pertaining to the right of a patient to have her individually identifiable information protected from disclosure to unauthorized persons or entities.