Table 1.
Comparing the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule and HIPAA Security Rule across various features of the rule.
| Features | HIPAA Privacy Rule | HIPAA Security Rule |
| Purpose | Protects the privacy of an individual’s health information | Protects the security of ePHIa |
| Covered entities | Health plans, health care clearinghouses, and health care providers | Covered entities and their business associates |
| Privacy standards | Limits how covered entities can use and disclose PHIb | Ensures confidentiality, integrity, and availability of ePHI |
| Required measures | Covered entities must have policies and procedures in place to protect PHI | Covered entities must implement administrative, physical, and technical safeguards to protect ePHI |
| Access controls | Covered entities must limit access to PHI to authorized individuals | Covered entities must implement technical policies and procedures to control access to ePHI |
| Data encryption | Required only for ePHI transmitted over an open network | Required for all ePHI, both in transit and for storage of data |
| Breach notification | Covered entities must report breaches of PHI to affected individuals and the HHSc | Covered entities must notify affected individuals, HHS, and the media (for large breaches) of any breach of unsecured ePHI |
| Enforcement | Enforced by the HHS OCRd | Enforced by the HHS OCR and the HHS Office of the Inspector General |
aePHI: electronic protected health information.
bPHI: protected health information.
cHHS: Department of Health and Human Services.
dOCR: Office for Civil Rights.