§ 164.306 Security standards: General rule
Introductory Comment: From the perspective of acquiring a "big picture" view of the HIPAA Security Rule the general rule is critical. It contains some guiding "flexibility" principles (see (b) below) that are foundational to understanding how a "good story" may be developed, especially from the perspective of the small provider. However, we need to re-emphasize that "flexibility" does not mean (as per the rule) that a provider is free to ignore requirements, but rather that there may be some implementation "wiggle room" if properly documented.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all its ePHI.
(2) Protect against any reasonably anticipated threats or hazards of its ePHI.
(3) Protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required under the HIPAA Privacy Rule.
(4) Ensure its workforce complies with the HIPAA Security Rule.
HIPAA Survival Guide Note
The items above do not appear unreasonable or overly burdensome. However, the devil lies in the details of the specifications, some of which are absolutely mandatory while others are labeled "Addressable." As discussed later, the addressable specifications are a "head fake" of sorts, since addressable specifications still require action on the part of the provider.
(b) Flexibility of approach.
(1) Covered entities may use any security measures that allow the Covered Entity to reasonably and appropriately implement the standards and implementation specifications.
(2) In deciding which security measures to use, a Covered Entity must take into account the following factors:
(i) The size, complexity, and capabilities of the Covered Entity.
(ii) The Covered Entity's technical infrastructure, hardware, and software security capabilities.
(ii) The costs of security measures.
(iv) The probability and criticality of potential risks to ePHI.
HIPAA Survival Guide Note
Some have referred to the four factors as the HIPAA Security Rule's guiding principles. It certainly appears that the drafters attempted to provide an "out" as they recognized that small providers may be unduly burdened. However, as we will discuss, the drafters "give" and the drafters "take" away.
(c) Standards. A Covered Entity must comply with the standards as provided in this section and with respect to all ePHI.
(d) Implementation specifications. Specifications are either "Required" or "Addressable." Required specifications must be implemented. Addressable specifications must be assessed and implemented as specified if reasonable and appropriate to the Covered Entity. If not reasonable and appropriate, the reason it is not must be documented and an equivalent alternative measure must be implemented if the alternative is "reasonable and appropriate."
HIPAA Survival Guide Note
This is where the rubber meets the road. If you don't implement a specification that is "addressable" you must, at a minimum, provide justification for not doing so, and if not implemented at all, justification for why an alternative measure was not feasible. In short, there is no free lunch under the HIPAA Security Rule with respect to "addressable" specifications. Even small providers must carry this burden.
(e) Maintenance. Security measures implemented must be reviewed and modified as required to ensure continued protection of ePHI.
Commentary on the General Rule
A discussed in the HIPAA Security Rule introduction, we believe that small providers (and probably many large ones as well) cannot meet the duties required of covered entities under the HIPAA Security Rule without the assistance of HIT consultants.
While we have, for the most part, attempted not to "editorialize" throughout this guide, it should be clear to any objective observer that the burdens imposed by the HIPAA Security Rule will be disproportionately felt by smaller providers. Much needs to be done in order to alleviate this burden, especially since, as a matter of public policy, we need more small providers in order to better serve the needs of the nation.
In particular, HHS should provide additional compliance guidance to small providers, especially but not exclusively, with respect to the HIPAA Security Rule. In fact, it appears that HHS is making a concerted effort to do just that. Please review the resources section of the Appendix for a description of Security Rule and Privacy Rule materials available on HHS' website.
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.