DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule contains general requirements, applicable to a covered entity or business associate’s implementation of administrative, physical, and technical safeguards to protect ePHI.
What are the Security Rule General Requirements?
All covered entities and business associates must meet the four following Security Rule general requirements:
Ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity or business associate creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA Privacy Rule.
Ensure compliance with the Security Rule by members of the workforce.
Do Covered Entities and Business Associates Have Flexibility in How to Meet These Obligations?
Covered entities and business associates have some degree of flexibility as to how to meet these requirements. Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the Security Rule’s standards and implementation specifications.
A standard is a requirement. For example, the Security Rule requires compliance with its “administrative safeguards” provision. This provision contains a series of rules, or standards, to be met. The first of these standards is called the Standard: Security Management Process. Standards contain an action requirement - the standards indicate what an entity must do to be in compliance with the standard. The action requirement for the Security Management Process Standard is to “Implement policies and procedures to prevent, detect, contain, and correct security violations.”
How, exactly, is an entity to implement this requirement? Many standards contain implementation specifications, which are essentially “instructions” for what must be done to meet the standard. An example: The Security Management Process Standard contains four implementation specifications. One of these specifications is the risk analysis requirement. To satisfy the risk analysis requirement, an entity must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
What Factors Must a Covered Entity or Business Associate Consider When Implementing the Security Rule Standards and Implementation Specifications?
In deciding which security measures to use to implement the Security Rule standards and
(i) The size, complexity, and capabilities of the covered entity or business associate.
(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
Which Parts of the Security Rule Contain Specific Standards?
1. 45 CFR 164.308 (administrative safeguards; contains the security management process standard and other standards)
2. 45 CFR 164.310 (physical safeguards)
3. 45 CFR 164.312 (technical safeguards)
4. 45 CFR 164.314 (organizational requirements; these requirements cover business associate agreements, as well as the security obligations of group health plans in particular)
5. 45 CFR 164.316 (Policies and Procedures and Documentation Requirement)
For purposes of this article, these standards will be referred to as “specific standards.”
Covered entities and business associates must comply with all of these specific standards, with respect to all ePHI.
What are Required Implementation Specifications and What are Addressable Implementation Specifications?
Implementation specifications are required or addressable. If an implementation specification is required, the word “Required” appears in parentheses after the title of the implementation specification.
If an implementation specification is addressable, the word “Addressable” appears in parentheses after the title of the implementation specification.
What is the General Rule for Required Standards?
When a specific standard includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.
What is the General Rule for Addressable Standards?
When a specific standard includes addressable implementation standards, a covered entity or business associate must assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information.
Then, after the assessment, the covered entity or business associate must implement the implementation specification if it is reasonable and appropriate to do so. If the covered entity or business associate has determined that implementing the implementation specification is not reasonable and appropriate, the covered entity or business associate must meet several requirements. First, the covered entity or business associate must document why it would not be reasonable and appropriate to implement the implementation specification. Then, the covered entity or business associate must implement an equivalent alternative measure if it reasonable and appropriate to do so.
Must Covered Entities and Business Associates Update Their Security Measures? When?
The final Security Rule general requirement is a “maintenance” requirement. To meet this requirement, the covered entity or business associate must review and modify the security measures it has implemented, as needed, to continue providing reasonable and appropriate protection of ePHI. To meet the maintenance requirements, the covered entity or business associate must also update documentation of its review and modification of its security measures.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article