UNITED STATES HIPPA COMPLIANCE DOCUMENTATION SecurityFocus HOME Infocus: HIPAA Security Rule
1. Introduction
Thousands of US organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The Security Rule is a key part of HIPAA -- federal legislation that was passed into law in August 1996. The overall purpose of the act is to enable better access to health insurance, reduce fraud and abuse, and lower the overall cost of health care in the United States.
If your organization is a Covered Entity (one that must comply with HIPAA), it is imperative that you understand the rule and take the necessary steps toward compliance. This article presents a detailed overview of the Security Rule and key factors you should consider when preparing to comply with the rule.

1.1 The basics
What The rule applies to electronic protected health information (EPHI), which is individually identifiable health information (IIHI) in electronic form. IIHI relates to 1) an individual's past, present, or future physical or mental health or condition, 2) an individual's provision of health care, or 3) past, present, or future payment for provision of health care to an individual. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.
Who Covered Entities (CEs) must comply with the Security Rule. These are health plans (HMOs, group health plans, etc.), health care clearinghouses (billing and repricing companies, etc.), or health care providers (doctors, dentists, hospitals, etc.) who transmit any EPHI.
How CEs must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their EPHI against any reasonably anticipated risks.
When The final Security Rule became effective as of April 21, 2003. Most CEs must be in compliance by April 21, 2005; small health plans (those with annual receipts of $5 million or less) have until April 21, 2006.

1.2 Penalties