This is a summary of the key elements of the security rule and is not a complete or exhaustive guide to compliance. Businesses subject to confidentiality and security rules are required to comply with all applicable requirements and should not rely on this summary as a source of legal information or advice. To facilitate the review of all requirements of the security rule, the endnotes cite the provisions of the rule mentioned in this summary. See our Security Rule section to view the entire rule and get more useful information about applying the rule. In the event of any conflict between this summary and the rule, the rule shall prevail. Prior to HIPAA, there were no generally accepted security standards or general requirements for protecting health information in healthcare. At the same time, new technologies have emerged and the health care industry has begun to move away from paper-based processes and rely more on the use of electronic information systems to pay claims, answer questions about entitlements, provide health information, and perform a variety of other administrative and clinical functions. Hybrid entity. The confidentiality rule allows a covered entity that is a single legal entity and performs both covered and non-covered functions to register as a “hybrid entity”.
77 (The activities that make a person or organization a covered entity are its “covered functions”. (78) To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more “components of health care”. According to this designation, most of the requirements of the data protection rule apply only to healthcare components. A covered entity that does not use this designation is subject to the confidentiality rule in its entirety. Preemption. for management or financial audits.