If you’ve been searching around about HIPAA compliance, you’ve probably seen the terms “Privacy” and “Security”. They both relate to compliance on the subject of protecting patient information, but heres the distinction:
Image above showing encrypted data being inaccessible by unauthorized individuals.
The HIPAA Privacy Rule establishes standards meant to protect a patient’s health records, as well as sets limits and conditions on how their PHI (Protected Health Information) can be used and disclosed without their authorization. These restrictions cover various methods of disclosure including electronically, orally and on paper. It also states that patients have the right to view and request corrections over their own health records.
In short, the Privacy Rule’s main objective is on physically protecting patient records against unauthorized access.
The HIPAA Security Rule is similar in protecting against unauthorized access, however it focuses its attention on electronic PHI (ePHI) and the steps necessary to meet this requirement. It states that technical, physical and administrative safeguards must be implemented to ensure the confidentiality of all ePHI, as well as maintain the integrity and the availability of any ePHI. Integrity meaning unaltered unless done in an authorized manner (ex: patient requests a change because their address was input incorrectly). Availability meaning on-demand access to these records by an authorized person.