The page below is a sample from the LabCE course HIPAA Privacy and Security Rules for All Healthcare Personnel. Access the complete course and earn ASCLS P.A.C.E.-approved continuing education credits by subscribing online.

Learn more about HIPAA Privacy and Security Rules for All Healthcare Personnel (online CE course) »
How to Subscribe


Like the Privacy Rule, the Security Rule includes three categories of safeguards:

  • Administrative
  • Physical
  • Technical
  • The final rule that was issued January 25, 2013 requires covered entities and business associates (and the business associate's subcontractors, if any) to have in place administrative, physical, and technical safeguards that are in compliance with the Security Rule. The final rule not only makes business associates equally accountable for privacy and security safeguards, but extends the rules down to the subcontractor level. Any subcontractor that is hired by the business associate must agree to the same restrictions and conditions that apply to the business associate, if the subcontractor creates or receives PHI. Note that a subcontractor may not use PHI in any way that is not
    permitted by the business associate agreement between the primary business associate and the covered entity.
    The contract agreements that are made between the business associate and the subcontractor must be at least as stringent as the contract agreements between the covered entity and the business associate.