Contact us: Mature Compliance Programs Made Easier!
HIPAA Survival Guide Note: General Rules & Principles
References: The General Rules govern the entirety of the Security Rule ("Rule"). The objective is to: (1) ensure the Confidentiality, Integrity, and Availability of all your ePHI; (2) Protect against any reasonably anticipated Threats or hazards of your ePHI; (3) protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required under the Privacy Rule; and (4) ensure your workforce complies with the Security Rule. To ensure that your workforce is trained properly you must do significantly more than provide the "fee good" tried that was widely used troughout the industry prior to the HITECH Act. For example, if your current training does not include training on Phising then it is woefully inadequate!
Description: The General Rules allow for the applicability of the "flexibility factors" to all implementation specifications for the Rule. These factors include: (1) the size, complexity, and capabilities of the covered entity or business associate; (2) the covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities; (3) the costs of security measures; and (4) the probability and criticality of potential risks to electronic protected health information. The Rules also distinguish between a "Required Implementation Specifications" and "Addressable Implementation Specications." The former must be implemented as is. The latter allows the implementation of an alternative specification as long as that alternative is reasonable and appropriate. Addressable does not mean that you can ignore the specification. If you choose not to implement anything for an Addressable specfication then you are required to document a compelling reason for ignoring it. The intent here is not to oversimplify or trivialize what is in fact a very complex set of objectives, but rather to ensure that the “end game” remains clearly visible as your organization grapples with the complexity. It is important to understand that Security Rule compliance is a project with a beginning, middle, but no discernible end. It is the quintessential wicked problem. New Threats, Vulnerabilities, and Risks will continue to emerge over time as your organization’s operational environment changes. Our program helps you identify common Threats, Vulnerabilities and Risks (“TVRs”) that likely already exist in your operational environment. Once your organization becomes familiar with the identification process, you will quickly be able to identify other TVRs.
§164.306 Security standards: General rules.
(a) General requirements. Covered entities and business associates must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach.
(1) Covered entities and business associates may use any security that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security to use, a covered entity or business associate must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity or business associate.
(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
(c) Standards. A covered entity or business associate must comply with the applicable standards as provided in this section and in §164.308, §164.310, §164.312, §164.314, and §164.316 with respect to all electronic protected health information.
(d) Implementation specifications. In this subpart:
(1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in §164.308, §164.310, §164.312, §164.314, and §164.316 includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.
(3) When a standard adopted in §164.308, §164.310, §164.312, §164.314, and §164.316 includes addressable implementation specifications, a covered entity or business associate must--
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
(ii) As applicable to the covered entity or business associate--
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate—
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and,
(2) Implement an equivalent alternative measure if reasonable and appropriate.
(e) Maintenance. A covered entity or business associate must review and modify the security implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security in accordance with §164.316(b)(2)(iii).
[68 FR 8376, Feb. 20, 2003; 68 FR 17153, Apr. 8, 2003]
Download our Free HIPAA Project Plan.