What does the Security Rule encompass?
The Security Rule applies only to electronic protected health information (ePHI). This is in contrast to the Privacy Rule which applies to all forms of protected health information, including oral, paper, and electronic. There are 3 parts of the Security Rule that covered entities must know about: • Administrative safeguards—includes items such as assigning a security officer and providing training • Physical safeguards—includes equipment specifications, computer back-ups, and access restriction • Technical safeguards—addressed in more detail below More detail about these safeguards can be found in the Security Information Series from the Centers for Medicare and Medicaid Services (CMS). Each area within the Security Rule includes implementation specifications. Some implementation specifications are required, others are addressable. Addressable means that that the covered entity must implement it if it is reasonable and appropriate, but does not have to implement it if: • there is an a