Skip to main content
HHS
.gov
Health Information Privacy
Search
U.S. Department of Health & Human Services
Search
Close
A-Z Index
HIPAA for Individuals
Filing a Complaint
HIPAA for Professionals
Newsroom
Breadcrumb
HHS
>
HIPAA Home
>
For Professionals
>
FAQ
> Security Rule
Text Resize
A
A
A
Print
Share
Authorizations (30)
Business Associates (41)
Compliance Dates (2)
Covered Entities (14)
Decedents (9)
Disclosures for Law Enforcement Purposes (5)
Disclosures for Rule Enforcement (1)
Disclosures in Emergency Situations (2)
Disclosures Required by Law (6)
Disclosures to Family and Friends (28)
Disposal of Protected Health Information (6)
Facility Directories (7)
Family Medical History Information (3)
FERPA and HIPAA (10)
Group Health Plans (3)
Health Information Technology (41)
Incidental Uses and Disclosures (10)
Judicial and Administrative Proceedings (8)
Limited Data Set (6)
Marketing (18)
Marketing - Refill Reminders (16)
Mental Health (35)
Minimum Necessary (14)
Notice of Privacy Practice (20)
Personal Representatives and Minors (12)
Preemption of State Law (10)
Privacy Rule: General Topics (12)
Protected Health Information (2)
Public Health Uses and Disclosures (13)
Research Uses and Disclosures (20)
Right to Access and Research (58)
Right to an Accounting of Disclosures (8)
Right to File a Complaint (1)
Right to Request a Restriction (3)
Safeguards (13)
Security Rule (24)
Smaller Providers and Businesses (145)
Student Immunizations (8)
Telehealth (11)
Transition Provisions (3)
Treatment, Payment, and Health Care Operations Disclosures (30)
Workers Compensation Disclosures (5)
Security Rule
Why is the HIPAA Security Rule needed and what is the purpose of the security standards?
Is the use of encryption mandatory in the Security Rule?
What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?
Are we required to “certify” our organization’s compliance with the standards of the Security Rule?
Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-PHI)?
Is the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) suspended during a national or public health emergency?
Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?
How can a small provider implement the standards in Security Rule?
How will we know if our organization and our systems are compliant with the Security Rule’s requirements?
Does the Security Rule require the use of an electronic or digital signature?
Do the standards of the Security Rule require use of specific technologies?
What does the Security Rule mean by physical safeguards?
What is the difference between Risk Analysis and Risk Management in the Security Rule?
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
Are covered entities required to use the National Institute of Standards and Technology (NIST) guidance documents referred to in the preamble to the final Security Rule (68 Fed. Reg. 8334 (February 20, 2003))?
Under the Security Rule, must plan sponsors report security incidents to the group health plan? If so, what types of incidents must be reported and what level of detail is required?
Does the Security Rule allow you to network computers? In other words, are covered entities allowed to connect two computer systems, either within the covered entity, or between two covered entities or between a covered entity and its business associate(s) so that they can exchange information directly?
Does the Security Rule permit a covered entity to assign the same log-on ID or user ID to multiple employees?
Who enforces the health information privacy and security standards established under the Health Insurance Portability and Accountability Act (HIPAA)?
What is the difference between addressable and required implementation specifications in the Security Rule?
What is encryption?
What are some examples of threats that covered entities should address when conducting their risk analysis in order to comply with the Security Rule?
May a HIPAA covered entity or its business associate disclose protected health information (PHI) for purposes of cybersecurity information-sharing of cyber threat indicators?
May a business associate of a HIPAA covered entity block or terminate access by the covered entity to the protected health information (PHI) maintained by the business associate for or on behalf of the covered entity?
Back to
T
op