Eavesdrop on a conversation about HIPAA compliance and most likely you’ll hear the words “privacy” and “security” — sometimes separately, often together, and usually in the context of safeguarding patient information.
“So, what exactly is the difference between ‘privacy’ and ‘security’ in relation to HIPAA compliance?” you ask.
With today’s HIPAA Quick Tip I’ll try to clear that up. And at the end of this post, you can test your understanding of that distinction with a one-question quiz. (I’m joking. Sort of. You’ll see.)
The HIPAA’s Privacy Rule refers to the broad requirements to protect the confidentiality of Protected Health Information (PHI) in its various forms, including on paper and in conversation. For instance, the HIPAA Privacy rule covers such things as a doctor talking loudly on the phone about a particular patient in a place where he or she can be overhead.
In addition to requiring appropriate safeguards to protect the privacy of personal health information, the Privacy Rule also sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. A Privacy Officer deals mainly with issues surrounding this question: Who has the right to see a patient’s records or be included in conversations about a patient’s health or care?
The HIPAA Security Rule deals mainly with protecting the integrity of PHI in its various forms. In today’s digital world, that often involves electronic health records (ePHI) and an office’s information systems. Under the HIPAA Security Rule, it falls to the Security Officer to put physical, technical, and administrative safeguards in place to ensure that a practice’s PHI and ePHI can’t be tampered with, viewed illegally, or stolen.
Take the test
I can’t tell you.
Yes, jokes this bad should be against the law. But for the purposes of this blog, which HIPAA rule would address the appropriateness of those remarks?
- HIPAA Privacy Rule
- HIPAA Security Rule
(If you answered “a,” — HIPAA Privacy Rule — congratulations!)