What's the HIPAA security rule?

The Department of Health and Human Services published the final HIPAA Security rule on February 20, 2003. The compliance deadline for the Security Rule is April 20, 2005.

The Security rule establishes requirements to ensure the confidentiality, integrity and availability of electronic protected health information. These requirements are broken into three categories to safeguard e-PHI:

  • Administrative safeguards — Policies and procedures to ensure information security. For example background checks, training, emergency response, risk management, and sanctions for non-compliance. 
  • Physical safeguards — These may be the most obvious controls. They include ID badges, locking buildings and offices, protecting computer equipment, etc. 
  • Technical safeguards — These are often "invisible" and work within information systems and include things like user identification, passwords and antivirus software.

Read more about HIPAA security below or visit our frequently asked questions on security page.

Effect on Blue Cross Blue Shield and Blue Care Network of Michigan

BCBSM and BCN use policies and procedures to safeguard PHI. Privacy laws require security to ensure that confidential information is protected from unauthorized access, modification or loss. While HIPAA privacy rules cover PHI in any form, HIPAA security regulations cover electronic PHI only. To ensure the security of our information, BCBSM and BCN have chosen to apply security measures to all various forms of PHI. 

Confidentiality: Our security policies prevent individuals from accessing information they do not need and ensure people have access to the information they do need. 

Integrity: Our security measures help ensure that data are not mistakenly or improperly altered.

Availability: Our security measures are designed to keep information available and protected, even in the event of an emergency or disaster.

Security Safeguards

Some of our privacy procedures are designed to ensure we release PHI to the correct individual and that such disclosures are secure.

Identity verification: If you or members of your office call us, you will be asked several questions designed to verify their identity and their authority to access the member's information. We will also confirm that you are the agent of record for the customer you ask about. Written correspondence requesting PHI should be on agency letterhead and include your name, signature, and the date of your signature.

Once we've verified your identity we will determine if we may provide information without the member's written authorization.

E-mail: BCBSM and BCN will not use the internet to exchange PHI until it is encrypted to the degree necessary to be a secured mode of transmission.