Within HIPAA, the security standards apply to Protected Health Information (PHI) that is created, received, maintained, or transmitted electronically, whereas the privacy standards apply to all forms of PHI. Therefore, although the security standards and the privacy standards have their own “Rules”, the Security Rule protects a subset of information covered by the Privacy Rule.
Why Two Rules, Rather than One?
To understand why there are separate Rules for security and privacy, you have to go back to before the passage of HIPAA. In the early 1990s, there was a patchwork of state and federal laws protecting health information depending on the type of information (i.e., SUD records) or who maintained it (i.e., federal agencies). State laws varied greatly in scope and strength.
There was no national standard for the confidentiality of all health information; and, as the health information system was increasingly becoming interstate, the intention of Congress was to pass a federal health information privacy law. The proposed law would provide a “federal floor” of privacy protections that would preempt any state laws that did not have more robust protections.
However, it was not Congress’s original intention to pass a federal health information privacy law via HIPAA. The objective of HIPAA (Title I) was to reduce the scale of economically damaging “job lock” by facilitating the portability of health insurance between jobs and preventing health insurance carriers from charging higher premiums or excluding employees with pre-existing conditions.
To prevent the cost of the health insurance reforms being passed onto employers and employees in the form of higher premiums, Congress enacted Title II of HIPAA. This Title set up a fraud and abuse program to reduce the scale of fraud and abuse against health plans and Medicare, and instructed the Secretary for Health and Human Services (HHS) to develop standards to simplify the administration of healthcare transactions (i.e., eligibility checks, authorizations, billing, etc.).
The Security Rule Should Have Been First
Among the instructions in Title II for developing standards for information transactions and data elements (§1173 of HIPAA codified at 42 USC §1320d-2), there is a requirement for HHS to develop security standards for health information. To eliminate any confusion that the security standards would only apply to healthcare transactions, Section (d)(2) of the requirement extends the standards to all maintained or transmitted health information.
‘‘(d)(2) SAFEGUARDS.—Each person described in section 1172(a) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards—
- to ensure the integrity and confidentiality of the information;
- to protect against any reasonably anticipated—
- threats or hazards to the security or integrity of the information; and
- unauthorized uses or disclosures of the information; and
- otherwise, to ensure compliance with this part by the officers and employees of such person.”
The proposed Security Rule was originally published in August 1998 – fifteen months before the first proposed Privacy Rule – but, due to the volume of comments from stakeholders, the final Security Rule was not published until February 2003. Due to the complexity of standards and implementation specification, covered entities were given two years to comply with the Security Rule.
Of relevance to the question within HIPAA, how does security differ from privacy is that, in the preamble to the final Security Rule it is noted that under §1173 of HIPAA (referenced above), HHS has the authority to develop security standards for health information in all formats. However, because the proposed Security Rule covered only health information in electronic form, security standards for health information in non-electronic form was not included in the final Rule.
HHS Did Not Want to Create the Privacy Rule
The Privacy Rule came about – somewhat reluctantly – due to a small section of HIPAA that instructs HHS to recommend standards with respect to the privacy of individually identifiable health information. (The term “Protected Health Information” does not exist in the legislative text of HIPAA). The recommendations had to address the following issues:
- The rights that an individual who is a subject of individually identifiable health information should have.
- The procedures that should be established for the exercise of such rights.
- The uses and disclosures of such information that should be authorized or required.
HHS made the recommendations as instructed; but, in her letter to Congress in 1997, the Secretary for Health and Human Services – Donna Shalala – advocated for the passage of federal privacy legislation, rather than relying on HHS to pass a set of privacy regulations. However, HIPAA had set Congress a three year deadline to pass legislation; and, when the deadline passed, the recommendations were published as a proposed Privacy Rule in 1999.
Although the recommendations were finalized the following year, HHS received thousands of queries raising concerns that the privacy standards would affect the efficient delivery of healthcare. The agency subsequently rewrote large passages of the Privacy Rule to clarify the standards and v2 of the Privacy Rule was published in 2002 with compliance dates of April 2003 for most covered entities and April 2004 for small health plans.
Conclusion – Within HIPAA, How Does Security Differ From Privacy?
Comparing the two Rules twenty years later, there are several ways to answer the question within HIPAA, how does security differ from privacy. Firstly, the Security Rule has a flexibility of approach clause that enables covered entities to decide on what procedures and technologies to implement to comply with the Rule. There are also addressable implementation specifications that give covered entities even more flexibility.
By contrast, the Privacy Rule is much more stringent in stipulating permitted uses and disclosures of PHI (in all formats), specifying what rights patients have and how they can be exercised, and governing the content of Business Associate Agreements. The Privacy Rule also covers what can be disclosed in permitted disclosures in specific circumstances, requires that the identity of recipients of PHI is verified, and provides precise examples of when exceptions exist.
In conclusion, although there is an impression that the Security Rule is more rigid than the Privacy Rule, it is actually the other way around. However, because the nature of health information protected by the Security Rule is a subset of health information protected by the Privacy Rule, covered entities and business associates should comply with the two Rules in unison rather than treat them as separate Rules.