The HIPAA Security Rule was passed as part of the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The HIPAA Security Rule governs the security of Protected Health Information (PHI). This Section applies to all Plan Sponsors. For the purpose of the HIPAA Security Rule, all Plan Sponsors are required to provide Detailed PHI Security measures.

This article provides general information about how the HIPAA Security Rule typically applies to health plans and general language that you might find in the Security Rule disclosure section of your plan documents. Please refer to your Summary Plan Description and other plan documentation for the specific details of how your plan applies the HIPAA Security Rule. 

Participant Disclosure

If you have questions about the privacy or security of your health information under the Plan, please contact the Plan Administrator or the Privacy/Security Officer named in the Employer/Plan Sponsor’s Privacy and Security Policy. 

Employer/Plan Sponsor’s Obligations

Employer/Plan Sponsor certifies compliance with the following requirements:

  1. Implement Safeguards. Develop, implement, and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Protected Health Information that it creates, receives, maintains, or transmits in an electronic format (with the exception of enrollment or disenrollment information and any Summary Health Information) on the Plan’s behalf, and ensure that any of its agents or subcontractors to whom it may provide such electronic Protected Health Information agree to implement reasonable and appropriate security measures to protect such information.

  2. Report. Report to the Plan any use or disclosure of the information that is inconsistent with the uses and disclosures provided for in this Section or the Plan of which it becomes aware. Report to the Security Official any security incident of which it becomes aware.

  3. Follow Breach Protocols. Follow the required notification procedures required by the Security Rule in the event of any breach of unsecured Protected Health Information which compromises the security of such information.

  4. Ensure Security of PHI. Ensure the availability, integrity, and confidentiality of electronic PHI; protect against reasonably anticipated threats or hazards to the security of electronic PHI; protect against reasonably anticipated impermissible uses or disclosures of electronic PHI; and ensure compliance by members of the entity's workforce.