The Security Rule applies to healthcare organizations that create, receive, maintain or transmit ePHI, including:
- Healthcare providers: Providers of medical or other health services or suppliers who transmit any electronic health information.
- Health plans: Individual or group plans, including employer-sponsored health plans, Medicare and Medicaid programs.
- Healthcare clearinghouses: Public or private entities that process healthcare transactions from a standard format to a nonstandard format or vice versa.
- Medicare prescription drug card sponsors: Any entity that offers an endorsed discount drug program under the Medicare Modernization Act.