HIPAA Privacy vs. Security: What's the Difference?

While HIPAA privacy and security may seem like interchangeable concepts, today we will examine the difference between HIPAA privacy and HIPAA security. Assured Tech Services can give you the information you need to maintain HIPAA compliance and maintain privacy security. 

What is HIPAA Privacy?

HIPAA was passed into law in 1996 to protect the privacy and security of a patient's protected health information or PHI. The HIPAA Privacy Rule "establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically." 

Examples of HIPAA privacy protections include protective policies, forms, and guidelines in which patients give their authorization for medical providers to share their information for medically relevant purposes only. This includes: 

  • Medical treatment

  • Determination of eligibility or coverage

  • Billing

  • Claims management

  • Healthcare data processing

  • Evaluation of healthcare provider performance

  • Conducting quality assessments 

  • Business planning

  • Medical referrals

For anything outside patient treatment, patient, or operations, a healthcare provider must receive a patient's authorization for any uses or disclosure of PHI. 

What is HIPAA Security?

The main objective of HIPAA security is to ensure that electronic PHI (ePHI) is not hacked, stolen, or misused. Additionally, HIPAA security makes sure that ePHI is not destroyed and is always available. 

Examples of HIPAA security measures include firewalls, anti-virus software, data encryption, and promoting generally sound cybersecurity practices for your staff. 

What is the Distinction Between HIPAA Privacy and HIPAA Security?

HIPAA privacy is the overarching concept that applies to all PHI. HIPAA security is an aspect of HIPAA privacy, but it refers specifically to the securing of ePHI. 

Obviously, there are major differences between measures taken to protect the privacy of PHI stored in more traditional formats and ePHI. That's where the HIPAA Security Rule comes in.

The HIPAA Security Rule 

The HIPAA Security Rule is a federally mandated rule that protects the confidentiality, integrity, and availability of PHI. It provides a "minimum floor" of protection for ePHI. It was put in place to protect ePHI from reasonably anticipated hazards, protect against reasonable uses or disclosures not protected by the Privacy Rule, and ensure compliance from a healthcare provider's workforce. 

The HIPAA Security Rule doesn't advocate providers use any particular type of technology. It's also scalable even for smaller medical offices like dental offices or small healthcare providers. 

It applies to any healthcare provider that stores or transmits ePHI. This includes covered entities such as healthcare providers, but also the business associates they share that data with. 

Since most healthcare providers store or transmit ePHI, the HIPAA Security Rule applies to almost everyone. It is only providers that store PHI on paper and who do not rely on computer systems who are exempt.  

 

Who is Tasked with Maintaining HIPAA Compliance? 

For healthcare providers, every touchpoint that handles PHI is responsible for HIPAA compliance. Along with doctors, dentists, and specialists, this can include answering services, medical billing, IT companies, software companies, consultants, actuarial companies, insurance companies, and others. 

HIPAA applies to both covered entities (providers, plans, and clearinghouses) and business associates (third party vendors with whom covered entities share PHI). 

Examples of How ePHI Can Be Compromised

The major distinction between securing ePHI and maintaining the privacy of PHI is the technical expertise involved with the security of PHI. There are multiple ways in which ePHI can be compromised, either intentionally or unintentionally. 

One way is through a cyber attack on a healthcare provider, which is, unfortunately, becoming all too rare. Data breaches in the healthcare and public health sector are becoming frighteningly common

Consider the example of the California hospital forced to pay over $17,000 in ransom to hackers who were holding ePHI "hostage." All because an employee clicked a nefarious link on a seemingly harmless email. 

The exposure of ePHI to various threats, both intentional and unintentional, has never been higher. Unlike protecting more traditional forms of PHI, it requires a certain degree of technical expertise and savvy to secure and manage. It calls for a higher degree of technical sophistication you and your staff may not possess if you aren't cybersecurity experts. 

What Happens If You Don't Maintain HIPAA Compliance? 

Failure to maintain HIPAA compliance can result in several negative consequences for your practice. The most important possible negative consequence is the compromising of patient data. Your patients may be exposed to a lack of privacy or malicious actors looking to access their ePHI. To maintain your status as a trusted partner to all your patients and maintain credibility, you have to protect their information. 

The consequences don't end with you losing your patients' trust, however. The potential blowback to your firm can be widespread and incredibly damaging. HIPAA violations can lead to financial penalties, loss of market share, loss of accreditation, increased capital costs associated with "late" compliance efforts, litigation damages, or even imprisonment. 

The damage to your practice's operations, reputation, and bottom line could be incalculable. 

How Do You Secure Your Patients' ePHI? 

The best way to secure your patients' ePHI is by partnering with a proven technical expert well-versed in various forms of IT support. Rather than going through the time-consuming and costly process of training your staff to handle cybersecurity concerns, task someone who has a previously demonstrated level of subject matter expertise. This cuts down on time spent managing cybersecurity issues and lets you and your staff do what they do best - provide high-quality patient care. 

The best way to start with this is by receiving a HIPAA security audit performed by a knowledgable cybersecurity expert who understands the space. Let Assured Technology Services be your partner in securing your patients' ePHI and avoiding HIPAA slip-ups. Assured Technology offers comprehensive HIPAA security audits as part of our suite of services. We also offer consultation, implementation, as well as maintenance and support. We specialize in providing high-quality IT services to small medical and dental offices. 

To learn more about what support we can offer, contact us today. 

HIPAA privacy and security make sure offices, doctors and patients are protected.

HIPAA privacy and security make sure offices, doctors and patients are protected.

Receive a free HIPAA Pre-Risk Checklist now by filling out the following form.


The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s technical safeguards. A risk assessment also helps reveal areas where your organization’s electronic protected health information (ePHI) could be at risk. Fines for a data breach at your practice could range from $100 to $50,000 per violation/record. Since 2011, over 21,000,000 health records have been compromised. Dental and orthodontic practices are well-known targets for hackers because of relaxed security practices that leave networks easy to exploit.

A technology self-assessment doesn't only cover HIPAA and ePHI, it is also required for PCI and Cyberattack insurance.  Please follow the following link for a free Self IT Risk assessment form and contact an Assured Technology Services IT Account Manager for more information on how to ensure full awareness of the practices technology and the risk associated with them to protect ePHI theft of your patient, employees, and or family members.