The Final Rule on Security Standards was issued on February 20, 2003 and came into effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for “small plans”.
Complementing the HIPAA Privacy rule, the security rule establishes a set of national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. While Privacy Rule is pertinent to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). The Security Rule requires three types of security safeguards for compliance: administrative, physical, and technical. These safeguards will ensure confidentiality, integrity, and security of electronic protected health information.