Under the HIPAA Privacy Rule, who must safeguard electronic protected health information (ePHI)?

The obligation to safeguard electronic protected health information rests with the entities that handle PHI in the healthcare system: covered entities and their business associates. Under the HIPAA Privacy Rule, these groups must implement safeguards to protect ePHI from unauthorized access, use, or disclosure. Covered entities include health plans, healthcare providers, and healthcare clearinghouses that electronically transmit PHI; they’re required to adopt administrative, physical, and technical safeguards, such as access controls, encryption, training, and secure storage. Business associates—vendors or contractors who handle ePHI on behalf of a covered entity—also must protect that information through contractual obligations and corresponding safeguards. Patients have rights related to their records, but the duty to safeguard ePHI is placed on the organizations, not individuals. Employers and third parties aren’t automatically responsible unless they themselves are a covered entity or a bound business associate.