The HIPAA Security Rule: Are You in Compliance?


Taking steps to protect your patient information and prepare for a possible breach can avoid costly audit violations.

Fam Pract Manag. 2017 Mar-Apr;24(2):5-9.

Author disclosure: no relevant financial affiliations disclosed.

Physician practices have lived with HIPAA for more than 20 years. By now, most probably know how to deliver a proper Notice of Privacy Practices, when it is permissible to leave voicemail messages for patients, and who their business associates are (e.g., the billing company is, but the janitor is not). Most of these issues fall under the HIPAA Privacy Rule, a set of regulations updated periodically since being introduced in 2000 that most physician practices view as a part of daily life.

However, there is another HIPAA rule that is – or should be – an integral part of practice: the Security Rule. The requirement for HIPAA-compliant electronic health record (EHR) software barely scratches the surface of the obligations of the Security Rule. Unfamiliarity with the requirements has led to multiple costly settlements between HIPAA-covered entities (including small physician practices) and the Department of Health and Human Services' Office for Civil Rights (OCR).

This article explores the government's recent HIPAA enforcement efforts and common errors made by HIPAA-covered entities. It also examines the requirements of the HIPAA Security Rule, with a special focus on security risk assessments (SRAs).

The pitfalls of HIPAA enforcement

The OCR was given the authority to enforce HIPAA in 2003. The compliance date for the Security Rule was in 2005, but no enforcement actions were taken until July 2009. Even then, most enforcement actions involved larger institutions and health systems. In April 2012, Phoenix Cardiac Surgery P.C. in Arizona became the first physician practice to face Security Rule enforcement. The group had mistakenly made its appointment calendar publicly viewable online. The OCR's investigation then discovered several other HIPAA problems, including a lack of effective training for the practice's workforce, ineffective administrative and technical protection for its electronic protected health information (ePHI), and failure to conduct an SRA. The group was required to pay $100,000 and engage in remedial efforts to correct its HIPAA deficiencies.

The case is fairly typical of OCR settlements, which usually involve the OCR responding to a report of a breach or improper disclosure. When the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 directed the OCR to perform “periodic audits” of HIPAA-covered entities, the agency shifted from having a primarily reactive role to also having proactive enforcement duties. The OCR conducted a year-long Audit Pilot Program in 2011 that examined the Privacy and Security Rule compliance of 115 covered entities, from hospitals and group health plans to physician and dental practices. This eventually led in October 2014 to the second phase of the Audit Program,

About the Author

Daniel Shay is an associate at the law firm of Alice G. Gosfield & Associates in Philadelphia.

Author disclosure: no relevant financial affiliations disclosed.


Copyright © 2017 by the American Academy of Family Physicians.
This content is owned by the AAFP. A person viewing it online may make one printout of the material and may use that printout only for his or her personal, non-commercial reference. This material may not otherwise be downloaded, copied, printed, stored, transmitted or reproduced in any medium, whether now known or later invented, except as authorized in writing by the AAFP. Contact for copyright questions and/or permission requests.

Want to use this article elsewhere? Get Permissions

CME Quiz


Jan-Feb 2018

Access the latest issue
of FPM journal

Read the Issue

FPM E-Newsletter

Sign up to receive FPM's free, weekly e-newsletter, "Quick Tips & Insights."

Sign Up Now