HIPAA Privacy Rule vs. HIPAA Security Rule

View all blog posts under Articles | View all blog posts under Nursing Resources

FNPs consulting while looking at a tablet.

Protecting patient information has always been of the utmost importance in health care, but the information age has changed everything dramatically. Even before the rise of smartphones and big data, regulators were keen to the opportunities and challenges of the internet. Thus, the Healthcare Information Portability and Accountability Act (HIPAA) was passed into law in 1996, codifying several important rules regarding the collection, storage and sharing of sensitive patient data.

HIPAA is something all nurses with a Doctorate of Nursing Practice are intimately familiar with. Not only have they studied extensively in coursework, but they’ve also experienced navigating the regulation in their professional capacities. Yet as innovations like the electronic health record (EHR) and telehealth continue to reshape care delivery — and the industry overall — even DNP-prepared nurses may have difficulty keeping track of all their ethical obligations.

A common problem is distinguishing between the HIPAA privacy and security rules. While both address the same crucial issue — the protection of sensitive patient data — they cover different components in compliance. HIPAA and nursing is the overarching theme, as nurses with a DNP may need to manage compliance from a team perspective, or even a departmental one. Here’s more about what the separate rules entail, and how a doctorate can help improve knowledge.

What separates the HIPAA privacy law and security rule?

While there is a fair amount of conceptual overlap in privacy and security, HIPAA treats them as two very distinct notions. Examining these differences will set the stage for nurse practitioners to develop a clear and thorough understanding of HIPAA compliance.

At a high level, privacy is related to the disclosure of patient data, whereas security is focused on the actual IT protocols (e.g. passwords and encryption) put in place to safeguard that data. The privacy law, for instance, dictates in which scenarios transmission of patient data is appropriate, like in care coordination. The HIPAA security rule lays out what controls entities subject to it need to maintain to ensure data protection.

Nurse practitioner using a laptopWhat is the HIPAA privacy law?

According to the U.S. Department of Health and Human Services (HHS), the privacy law was designed to balance the need for data protection, while still allowing for the regulated flow of that information between care professionals. Patients have inherent rights to privacy of their protected health information (PHI); specifically, PHI should not be disclosed without consent, or used against the wishes of the patient.

As clear as those dictums may seem, the actual application can be difficult in practice. That’s why the HIPAA privacy law was crafted: to help create standards for more universal compliance. For instance:

  • Covered entities — including health care providers, insurers and clearinghouses, among others — must keep data relating to patients’ medical past, present well-being and future conditions, as well as care rendered and the payment for that provision of services, confidential.
  • Disclosure of this data is allowable when given to the patient, or when used as part of a provider’s own treatment, payment, and provider operations.
  • These entities can be mandated to disclose PHI in only two situations: when the individual or their representation requests access, or when HHS asks as part of a compliance review.

Importantly, the HIPAA privacy law denotes the absence of such restrictions on de-identified patient data, which may be used in research. What the law does cover, however, is PHI in marketing or other uses. Failure to abide can result in HIPAA violation penalties for nurses.

What is the HIPAA security rule?

The HIPAA security rule addresses all the tangible mechanisms covered entities must have in place to support internal privacy policies and procedures. Its primary objective is to strike a balance between the protection of data and the reality that entities need to continually improve or upgrade their defenses. So, while the rule covers major concepts like EHRs, it is also designed to be flexible.

Why is the security rule needed? Health care is one of the industries most vulnerable to cyberattacks like ransomware, and many high-profile data breaches have befallen providers and insurers, leaking the PHI of millions.

The security rule was implemented to help create national standards for digital security and administrative protocols. Some of those measures outlined by the rule include:

  • Security management processes: Covered entities have to conduct risk analyses and formulate security plans to mitigate those identified vulnerabilities.
  • Workforce training and management: Any personnel working with PHI must be sufficiently trained in compliance and internal policies. Entities are expected to provide this essential training, as well as take appropriate action against violators.
  • Technical safeguards: There are a number of security characteristics an entity’s IT infrastructure must reflect. Access controls must be implemented to restrict data to authorized persons, while audit controls include the introduction of hardware, software and other tools to record and evaluate activity in the context of those access controls. Integrity controls are maintained to ensure data is never improperly altered or destroyed, and transmission security calls for measures that block the unauthorized access of PHI as it is being transmitted between networks.

What DNP students at Bradley can learn about HIPAA

Compliance is a primary responsibility for nurses in any role, but especially those who are advanced practice registered nurses (APRNs), nurse leaders, nurse directors or nurse executives. The buck often stops with them, and being knowledgeable about HIPAA and nursing is crucial. In Bradley’s online DNP program, students can expect to sharpen compliance-related skills and expertise in classes like:

  • CIS 576 – Data Management
  • ML 630 – Management in Health Care Organizations
  • NUR 730 – Ethics in Advanced Practice Nursing
  • NUR 752 – Advanced Health Informatics

Interested in learning more about the program and degree outcomes? Contact an enrollment advisor today.

Recommended reading:

Classes in the Bradley online DNP-Leadership program

How the Bradley University online FNP prepares nurses for ANCC and AANP certification exams


Bradley University

U.S. Department of Health and Human Services