Road to HIPAA Compliance: Understanding the Security Rule

by KirkpatrickPrice / June 15th, 2016

3 Things to Know About Protecting ePHI

This session gives an overview of the Security Rule, which is one of the most familiar aspects of HIPAA Compliance. The goal of the Security Rule is to create security for electronic Protected Health Information (ePHI) by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. When learning the basics of this regulation, it’s vital to learn about scope, the flexibility of approach, and the three types of safeguards.


The Security Rule only applies to ePHI. Paper PHI is not within the scope of the Security Rule. This doesn’t narrow the scope, but instead tailors it to specific issues, vulnerabilities, costs, and approaches related to the integrity and security of ePHI.

Flexibility of Approach

All the requirements are the same, but the way that an entity complies with those requirements is different depending on the entity-specific considerations. There’s some flexibility when considering required versus addressable implementation specifications under each of the three types of safeguards. The Security Rule says there are some implementation specifications that you must comply with and there is no alternative method. There are also some addressable implementation specifications that allow an entity to choose an alternative or equivalent compensating control.


There are three types of required safeguards to protect ePHI: administrative, technical, and physical. Administrative safeguards cover personnel, training, access and process. Technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover access, workstations, and devices.

To learn more about the HIPAA Security Rule, contact us today and speak to an expert.