Skip to content


HIPAA Security Rule Requirements and How it Can Impact Your Company

In today’s modern technological age, companies dealing with sensitive patient health information need to be hypervigilant when assessing the security protocols, they have in place to safeguard this data. Specifically, the HIPAA Security Rule requires covered entities[1] to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI[2].
Specifically, covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce

It is important to note that HHS recognizes that these covered entities can vary in size, from the smallest to the largest provider. This allows covered entities to apply the Security Rule in a flexible manner so that the covered entities can assess their own needs and take action where appropriate in specific environments. Items such as the nature, resources, and size of the business are all factors that must be considered when a covered entity is assessing their specific needs.

As a result, the Security Rule requires the covered entity to consider items such as; the entities size and complex nature of the business, hardware and software capabilities, security cost benefit analysis, and potential risks to sensitive patient health information. Each of these required considerations may change periodically depending on the covered entities’ business and needs, so consistent monitoring must be performed in order to ensure the protection of e-PHI. As technologies advance and become more relevant to the course of normal business in the world of today, cyber-attacks and security breaches are having more of an impact on businesses than ever before. This further affirms the need to constantly assess the Security Rule, its requirements, and how to best protect sensitive data.

One such recent example of this growing security risk can be seen right here in Pennsylvania with the recent settlement of a lawsuit related to a data breach that occurred at the University of Pittsburgh Medical Center. According to the HIPAA Journal, a website dedicated to HIPAA compliance, news, laws, and training, UPMC agreed to a $450,000 settlement on June 23, 2022. The class action data breach lawsuit was brought by individuals who had suffered losses due to the theft and misuse of sensitive patient health information. The breach affected approximately 36,000 patients whose e-PHI had been stolen by an unauthorized third party between April 2020 and June 2020. Interestingly, the breach occurred at UPMC’s legal counsel, which provided billing related services. This example goes to show that even large organizations such as UPMC can easily be affected by security breaches. Even companies not directly associated with the medical industry, such as the legal council where the breach actually occurred, must ensure they perform appropriate assessments around the Security Rule requirements.

The previously stated breach is just the latest example of how important it is in this modern age of technology to consistently assess the Security Rule, its requirements, and how to best protect sensitive data. Covered entities must continually assess their business and how e-PHI may be being transmitted or being used within their own companies, and determine how to best protect this information. As each covered entity’s situation will differ, it is important for companies to access the latest resources in HIPAA compliance. The HHS website includes helpful information around the Security Rule and different guidance that be can used, such as Administrative, Technical, and Physical Safeguards. For more information about HIPAA compliance and related audits, visit our HIPAA services page.  McKonly & Asbury can assist clients in identifying and implementing the necessary safeguards to protect protected health information and pass a HIPAA compliance audit. Please contact us if you have questions about the process or are ready to move forward with a HIPAA assessment.

[1] Covered Entities – Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards

[2] e-PHI – electronic protected health information

About the Author

Kevin Chrencik

Kevin joined McKonly & Asbury in 2022 and is currently a Supervisor with the firm. He is a member of the firm’s Audit & Assurance Segment, serving the manufacturing industry as well as the firm’s System and Organization Controls (SOC) practice.

Related Industries

Subscribe to Our Newsletter

Contact Us