Rule "electronic" applicability (HIPAA)
The HIPAA Security
Rule applies to covered
entities -- defined as (a) health plans, (b) health care
clearinghouses, and (c) health care providers who transmit
any protected health
information (PHI) in "electronic form." The
Security Rule does not include any standards for non-electronic
PHI. Such information is, however, covered by the HIPAA Privacy
Rule, which extends to PHI in "any form or medium."
(Formally, as regards
(c) above, the Security Rule applies to providers who "engage
electronically in the transactions for which standards have
been adopted"; however, that refinement makes little
practical difference given the scope of the Transactions
The Security Rule
draws no distinction between data movement internal (within)
or external to an organization, nor between data "at
rest" (stored) or in transit over wire, fiber or other
media. The standard applies equally to all. Storage and movement
of any physical electronic media containing PHI -- e.g., magnetic
tapes, magnetic and optical disks, "flash" storage
devices -- are also covered.
More broadly, this
Rule reaches to electronic "systems," which are
defined as "interconnected set[s] of information resources
under the same direct management control that share common
functionality. A system normally includes hardware, software,
information, data, applications, communications and people."
CFR 164.304) For security to be effective, it must be
applied to the whole system. Hence the comprehensiveness of
the Rule's administrative,
Almost all electronic
devices today contain microprocessors -- that is, a kind of
computer -- from the telephone to the toaster. Although the
Security Rule's reach extends to "an[y] electronic computing
device," DHHS has clarified that it intends to include
within that ambit only "software programmable computers,
for example personal computers, minicomputers, and mainframes."
(Final Rule, p.54) Laptops, tablet computers, PDAs and other
portable computing devices are also included, whether linked
by wire, wireless connection, or "stand alone."
communications of PHI are not covered; neither are those over
the telephone, even though the telephone network is an electronic
one. Nor are paper transmissions covered, even though most
paper documents originate from a computer (and are replicated
in a printer or photocopier with a microprocessor in it).
One exception is
worth noting here, which may help clarify the rule: Telephone
voice response and "faxback"systems -- where a request
for information from a computer is made via voice or telephone
keypad input, with the requested information returned via
fax -- are now considered to fall under the Security Rule.
Previously, such systems were excluded. The rationale is that
the response, though not the request, is achieved by computer
systems and so must be covered.
paper" faxes, by contrast, remain exempt. As noted, person-to-person
phone calls are exempt. So are voice messages left on voice
mail. So is videoconferencing. (It is worth reiterating however,
that the Privacy Rule is normally interpreted as requiring
appropriate security measures for PHI of all kinds, and would
include all of these.).
Naturally, a covered
entity is expected to apply security safeguards to its entire
"facility" -- defined as the "physical premises
and interior and exterior of [its] building[s]" -- and
the systems therein. But a covered entity's responsibilities
do not end at the property line. It is expected to implement
security standards that extend to all members of its workforce,
wherever located, to ensure the protection of health information
wherever it may go.
So, for example,
security provisions must be put in place for "at home"
workers too, such as medical transcriptionists or claims processors.
(If such workers are employed by a business
associate, rather than the covered entity, contractual
provisions must address security
issues.) Covered entities should also have policies for
workers who have PHI at home or elsewhere off site on a "casual"
basis for work activities -- e.g., physicians or researchers.
practices extend the transmission of data to new locations,
such as into and out of patients' homes. Electronic mail is
increasingly used to communicate with patients. Patients are
not covered entities, and covered entities are not responsible
for the "security practices" of their patients.
covered entities are responsible for taking reasonable security
measures "at their end of the wire" when communicating
with patients. It may also be reasonable to expect covered
entities to assist patients by making recommendations about
(more) secure practices.