The purpose of the Health Insurance Portability and Accountability (HIPAA) Security Rule is to:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity (healthcare provider, health plan) or business associate creates, receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule; and
- Ensure compliance of the covered entity’s workforce. 45 C.F.R. §164.306.
The Security Rule is broken down into five different sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements. Each one of these sections has multiple “standards” that must be followed by the covered entity. Many of these “standards” have more detailed implementation specifications which can either be “Required” or “Addressable”.
A “required” implementation specification must be implemented by the covered entity.
An “addressable” implementation specification is more flexible, but it is not optional. A covered entity must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment, a covered entity decides if it will:
- Implement the addressable implementation specification;
- Implement an equivalent alternative measure that allows the entity to comply with the standard; or
- Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.
Covered entities must document the assessment and decision made regarding each specification.
If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must consider options for implementing it. The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:
- The entity's risk analysis – What current circumstances leave the entity open to unauthorized access and disclosure of EPHI?
- The entity’s security analysis - What security measures are already in place or could reasonably be put into place?
- The entity’s financial analysis - How much will implementation cost?
45 CFR §164.306
U.S. Department of Health and Human Services, HIPAA Security Series, Security 101 for Covered Entities
NIST SP 800-66