What information is protected by HIPAA's security rule?

Under the HIPAA security rule, protected information revolves around electronic protected health information (ePHI). The set of regulations under the security rule aims to safeguard ePHI from unauthorized access, use, or disclosure, ensuring patient privacy and data security. 

HIPAA's security rule

The HIPAA security rule is designed to establish a comprehensive framework for the protection of ePHI. The security rule upholds the confidentiality and availability of electronic health information, ensuring that patients' sensitive data remains protected from unauthorized access, use, or disclosure.

Related: What is the HIPAA security rule?

Types of information protected under the HIPAA security rule

1. Individually identifiable health information

Also known as personally identifiable information (PII), this includes personal identifiers such as :

• Names
• Addresses
• Birth dates 
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers

Related: What are the 18 PHI identifiers?

2. Medical records and electronic health records (EHRs)

Electronic health records (EHRs) provide a digital repository of an individual's medical history. These records encompass a comprehensive collection of diagnoses, treatments, medications, lab results, and other essential health-related information. Safeguarding EHRs and medical records under the HIPAA security rule ensures their confidentiality and integrity. Healthcare organizations must adopt robust security measures to thwart unauthorized access or tampering with this critical health data.

3. Health insurance information

This category includes information about an individual's health insurance coverage, policy numbers, coverage dates, and claim details. Ensuring the security of this information helps safeguard patients from potential identity theft and insurance fraud, which could lead to financial harm and compromised healthcare coverage.

4. Billing and payment information

Healthcare billing and payment information, such as:

• Financial account numbers
• Billing records
• Other financial data related to healthcare services. 

Cybercriminals may target this information to commit fraud or steal financial data, so covered entities and business associates must establish robust safeguards. These measures prevent data breaches and protect patients' financial well-being.

5. Other health-related information

The HIPAA security rule also protects other health-related information created, received, transmitted, or maintained electronically. This category encompasses:

• Medical research records
• Public health data
• Other health-related documents. 

Although not directly tied to an individual's identity as personally identifiable health information, this data is still sensitive and demands protection to maintain the overall security and privacy of patients' health information.

Related: HIPAA compliant email: the definitive guide