GENERAL REQUIREMENTS AND STRUCTURE

Previous page
Table of content
Next page

The Security Rule's requirements are grouped into three categories: administrative safeguards, physical safeguards, and technical safeguards (each of which is further described in the following sections). Figure 1, below, shows that these Security Rule requirements are broken down into 18 standards, 12 of which have implementation specifications, six of which do not.

click to expand
Figure 1

In short, a standard explains what a CE must do; implementation specifications explain how to do it.

The Security Rule has 36 implementation specifications, which are further divided into two types: required (14) and addressable (22). Required specifications are essential and CEs must implement them. CEs have three choices, however, for handling addressable implementation specifications:

  1. If a specific addressable implementation specification is determined to be reasonable and appropriate, the CE must implement it.

  2. If implementing a specific addressable implementation specification is not reasonable and appropriate, but the overall standard cannot be met without an additional security safeguard, a CE must:

    1. Document why it would not be reasonable and appropriate to implement the implementation specification; and

    2. Implement and document an alternative security measure that accomplishes the same purpose as the addressable implementation specification.

  1. If implementing a specific addressable implementation specification is not reasonable and appropriate and the overall standard can be met without implementation of an alternative security measure, a CE must:

    1. Document the decision not to implement the addressable specification;

    2. Document why it would not be reasonable and appropriate to implement the implementation specification; and

    3. Document how the standard is being met.

To summarize, a CE must do one of three things: (1) implement an addressable specification if reasonable and appropriate, (2) implement an alternative security measure to accomplish the purposes of the standard, or (3) implement nothing if the specification is not reasonable and appropriate and the standard can still be met.

The specifications can be implemented in any order, as long as the standards are met by the Security Rule deadline.

Covered entities should take into account the following factors when deciding how to respond to addressable specifications:

  • The CE's size , complexity, and capabilities

  • The CE's technical infrastructure, hardware, and software security capabilities

  • The costs of security measures

  • The likelihood and seriousness of potential risks to EPHI



Previous page
Table of content
Next page
HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
CISSP Exam Cram 2
SQL Hacks
The Complete Cisco VPN Configuration Guide
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Web Systems Design and Online Consumer Behavior
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy