HIPAA PHI: Security and Compliance

The HIPAA laws surrounding Protected Health Information (PHI) require all health care Covered Entities (CEs) and their HIPAA Business Associates (BAs) to safeguard the security and privacy of PHI. The HIPAA laws also require CEs and BAs to implement required security measures to safeguard HIPAA PHI.

Hipaa PHI

As a quick review, any individually identifiable information created or received by a covered entity is Protected Health Information (PHI), regardless of the media form in which it is (or was) stored. PHI is protected under HIPAA, and the data may be stored, at rest or in transit.  PHI may be oral, contained on paper or stored electronically.

The HIPAA Privacy Rule describes the permissible uses and disclosures of PHI.  The HIPAA Security Rule establishes administrative, physical and technical safeguard standards to protect PHI from unauthorized uses and disclosures. The security requirements are flexible and scalable to account for the nature of each entity’s business, and its size and resources.  The Privacy Rule is about al PHI; the Security Rule is about electronic PHI or ePHI.  It is important that your healthcare business as well as your Business Associates and subcontractors comply fully with all security requirements.

The objectives of the HIPAA rules are to protect patient privacy, in particular to make sure that all PHI is stored and transmitted securely, with a special emphasis on when this data is stored or transmitted electronically.

The three primary goals for HIPAA PHI security are to:

• Ensure confidentiality, integrity, and availability of all PHI that a CE or BA creates, receives, maintains, or transmits

• Protect against any reasonably anticipated threats or hazards to the security or integrity of such PHI

• Protect against any reasonably anticipated losses or disclosures of PHI

For full help with HIPAA PHI security and compliance, purchase our HIPAA Security Assessment Toolkit™



  1. What is a HIPAA Business Associate? | HIPAA Security Assessment - 08/10/2010

    [...] activities, or services for or to a covered entity, involving the use and/or disclosure of PHI. A HIPAA Business Associate is not a member of the health care provider, health plan, or other [...]

  2. HIPAA Rules Summary | HIPAA Security Assessment - 08/10/2010

    [...] to as the HIPAA Rules.  These rules cover transactions and code sets, privacy, and security of PHI within health care organizations. As of February 17, 2010, both Covered Entities and Business [...]

  3. Implications of the HITECH Act | HIPAA Security Assessment - 08/10/2010

    [...] Provisions for PHI are strengthened and [...]

  4. What is Security Risk Assessment? | HIPAA Security Assessment - 08/10/2010

    [...] conversion, processing, storage, or transmission that could potentially compromise the integrity of PHI (patient health [...]

  5. HIPAA Rules Summary - abouthipaa.com - 12/27/2010

    [...] Simplification subpart inlcudes rules covering transactions and code sets, privacy, and security of PHI within health care organizations.  As of February 17, 2010, both Covered Entities and Business [...]

Leave a Reply