Implementing
HIPAA Security Standards
The Final
Security Rule went into effect on April 21, 2003. All covered entities must comply with the standards and
implementation specifications required by the HIPAA Security Rule beginning
April 21, 2005. To implement these
standards, organizations may use security measures that allow them to
reasonably and appropriately meet the requirements of the HIPAA Security
Rule. In deciding which security
measures to implement, an organization must take into account:
1. The
size, complexity, and capabilities of the organization;
2. The
organizations technical infrastructure, hardware, and software security
capabilities;
3. The
costs of security measures; and
4. The
probability and criticality of potential risks to electronic Protected Health
Information (PHI) created, used, disclosed, or maintained by the
organization.
All
implementation specifications of the Security Rule have been designated as
either “Required” or “Addressable”.
In HIPAASays, if a specification is required the word “Required”
appears in parentheses. If a
specification is addressable the word “Addressable” appears in
parentheses.
Required
Specifications
When a
standard adopted by the HIPAA Security Rule includes “Required”, a
covered entity MUST implement the implementation specification.
Addressable
Specifications
When a
standard adopted by the HIPAA Security Rule includes “Addressable” an
organization must:
1. Assess
whether the implementation specification is a reasonable and appropriate
safeguard for its organization, and
2. If
reasonable and appropriate, implement the specification ; or
3. If
not reasonable and appropriate, document why it is not and implement
an equivalent or alternative measure that is reasonable and appropriate.
Maintenance
and Review
Security
measures implemented to comply with the HIPAA Security Rule must be reviewed
and modified as needed to continue the provision of reasonable and appropriate
protection of electronic Protected Health Information (PHI).