The HIPAA Security Rule applies to only protected health and payment information that exists in electronic form. Medical practices should have implemented the final Security Standards, which were published in the Feb. 20, 2003, Federal Register.
The rule consists of 18 standards that are required of all covered entities, which include health plans (generally, most payers), healthcare clearinghouses, and most healthcare providers. A provider who transmits any protected health information using a HIPAA standardized electronic transactions is a covered entity. HIPAA standardized electronic transactions include claims submission, payment receipt, claim inquiry, eligibility verification, and pre-certification.
These standards fall into three categories: administrative, physical, and technical safeguards. All covered providers may apply reasonableness when implementing these safeguards.