GENERAL REQUIREMENTS AND STRUCTURE

In short, a standard explains what a CE must do; implementation specifications explain how to do it.

The Security Rule has 36 implementation specifications, which are further divided into two types: required (14) and addressable (22). Required specifications are essential and CEs must implement them. CEs have three choices, however, for handling addressable implementation specifications:

1. If a specific addressable implementation specification is determined to be reasonable and appropriate, the CE must implement it.

2. If implementing a specific addressable implementation specification is not reasonable and appropriate, but the overall standard cannot be met without an additional security safeguard, a CE must:

   1. Document why it would not be reasonable and appropriate to implement the implementation specification; and

   2. Implement and document an alternative security measure that accomplishes the same purpose as the addressable implementation specification.

3. If implementing a specific addressable implementation specification is not reasonable and appropriate and the overall standard can be met without implementation of an alternative security measure, a CE must:

   1. Document the decision not to implement the addressable specification;

   2. Document why it would not be reasonable and appropriate to implement the implementation specification; and

   3. Document how the standard is being met.

To summarize, a CE must do one of three things: (1) implement an addressable specification if reasonable and appropriate, (2) implement an alternative security measure to accomplish the purposes of the standard, or (3) implement nothing if the specification is not reasonable and appropriate and the standard can still be met.

The specifications can be implemented in any order, as long as the standards are met by the Security Rule deadline.

Covered entities should take into account the following factors when deciding how to respond to addressable specifications:

• The CE's size , complexity, and capabilities

• The CE's technical infrastructure, hardware, and software security capabilities

• The costs of security measures

• The likelihood and seriousness of potential risks to EPHI

ADMINISTRATIVE SAFEGUARDS

Administrative safeguards make up 50% of the Security Rule's standards. In general, they require documented policies and procedures for day-to-day operations; managing the conduct of employees with PHI; and managing the selection, development, and use of security controls. The specific standards of the administrative safeguards are:

• Security management process: Implementing policies and procedures to prevent, detect, contain, and correct security violations.

• Assigned security responsibility: A single individual must be designated as having overall responsibility for the security of a CE's EPHI.

• Workforce security: Implementing policies and procedures to ensure that employees have only appropriate access to EPHI.

• Information access management: Implementing policies and procedures for authorizing access to EPHI.

• Security awareness and training: Implementing a security awareness and training program for a CE's entire workforce.

• Security incident procedures: Implementing policies and procedures to handle security incidents.

• Contingency plan: Implementing policies and procedures for responding to an emergency or other occurrence that damages systems containing EPHI.

• Evaluation: Performing periodic technical and non-technical evaluations that determine the extent to which a CE's security policies and procedures meet the ongoing requirements of the Security Rule.

• Business associate contracts and other arrangements: A CE may permit a business associate to create, receive, maintain, or transmit EPHI on the CE's behalf only if the CE has satisfactory assurance that the business associate will appropriately safeguard the data.