HIPAA Security Rule and ePHI Requirements

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is focused on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) which is created, received, maintained, or transmitted by any covered entity (CE) against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. Covered entities include: covered healthcare providers, health plans, healthcare clearinghouses, Medicare prescription drug card sponsors and business associates. By meeting the requirements set forth in the Security Rule for ePHI, CEs will also meet the ePHI requirements of the Privacy Rule.

To achieve compliance with the HIPAA Security Rule, CEs must adhere to the six main sections, each consisting of several standards and implementation specifications, including:

  • Security Standards - General Rules – includes the general requirements all covered entities must meet to ensure reasonable and appropriate protection of ePHI.
  • Administrative Safeguards - are defined as the “administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.1
  • Physical Safeguards - are defined as the “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.2
  • Technical Safeguards - are defined as the “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.3
  • Organizational Requirements - includes standards to ensure appropriate safeguards are in place at business associates and others who share ePHI.4
  • Policies and Procedures and Documentation Requirements - ensures that covered entities have formal plans (i.e., policies, procedures and documentation) in place for the reasonable and appropriate implementation of ePHI security.5

The HIPAA Security Rule requirements have most recently been expanded via the Health Information Technology for Economic and Clinical Health (HITECH) Act, which establishes mandatory federal security breach reporting requirements with expanded criminal and civil penalties for non-compliance. Business associates of covered entities are now required to address the security rule requirements.


Security Management Solutions from Lumension Help Covered Entities Protect ePHI and Ensure HIPAA Compliance

Endpoint management and security software from Lumension addresses HIPAA Security Rule compliance challenges and enables Covered Entities and their Business Associates to protect confidential electronic medical records and improve operational efficiencies. These solutions include:
  • Lumension® Patch and Remediation – Reduces organizational risk and optimizes IT operations through the timely, proactive elimination of OS and application vulnerabilities across all endpoints and servers. Heterogeneous platform and 3rd party vulnerability content support includes Microsoft® Windows®, UNIX®, Linux®, Apple®, Adobe®, Oracle® Java™ and more.
  • Lumension® Content Wizard – Delivers customized extensibility through wizard-driven and custom scripting tools to take any action on endpoints including deploying and removing software, remediating configurations, performing systems management tasks and delivering custom patches.
  • Lumension® Security Configuration Management – Ensures that endpoints are securely configured and in compliance with industry best practices and regulatory mandates while reducing configuration drift.
  • Lumension® AntiVirus – Provides blacklist protection and removal for all malware including viruses, worms, spyware, Trojans and adware.
  • Lumension® Application Control – Defines and enforces trusted application usage through whitelist policies to ensure that only applications explicitly authorized or trusted are allowed to execute. Includes Advanced Memory Protection to defend against sophisticated memory injection attacks.
  • Lumension® Device Control – Enforces usage policies for device and ports while providing FIPS 140-2 level 2 validated encryption of data on removable media to prevent data loss / theft.
  • Lumension® Disk Encryption – Enables full disk encryption to maximize endpoint security and performance with proven, FIPS 140-2 validated encryption algorithms; and offers encrypted swap and hibernation files for complete security.


Lumension solutions can help Covered Entities and their Business Associates protect against targeted attacks, prevent data loss or theft, enforce security policies, prepare for compliance audits, and lower the cost of IT security.


The Cost of Non-Compliance

HIPAA compliance is enforced by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) from a civil penalty perspective and by the Department of Justice (DOJ) on the criminal side. The breakdown of the civil penalties are not more than $100 for each violation and not more than $25,000 for all violations of identical type during a single calendar year.6

Improperly obtaining or disclosing individual health information, or improper use of unique health identifiers are subject to the following criminal penalties: 7

  Fine Prison
Knowingly $50,000 1 Year
False Pretenses $100,000 5 Years
For Profit, Gain, or Harm $250,000 10 Years

HIPAA compliance is now being strictly enforced and the penalties for non-compliance are substantial. In fact, the recently signed stimulus package contains significant additions to HIPAA via the HITECH Act. The new rules include a breach notification law, forcing healthcare providers to provide notification to individuals and via "prominent media outlets" if more than 500 people are impacted by a breach, and increase civil and criminal penalties.