What Specific HIPAA Security Requirements Does the Security Rule Dictate?
The Security Rule requires entities to analyze their security needs and implement appropriate, effective security measures in line with HIPAA security requirements.
The Security Rule does not dictate what specific HIPAA security requirements or measures must be used by a given organization of a particular size; as such, entities have some leeway to decide what security measures will work most effectively for them.
What the Security Rule does require is that entities, when implementing security measures, consider the following things:
- Their size, complexity, and capabilities;
- Their technical hardware, and software infrastructure;
- The costs of security measures; and
- The likelihood and possible impact of the potential risk to ePHI.
The Security Rule also requires that covered entities don’t “sit still” – covered entities must continually review and modify their security measures to ensure ePHI is protected at all times.
What are the Three Standards of the HIPAA Security Rule?
The HIPAA Security Rule contains what are referred to as three required standards of implementation. Covered entities and BAs must comply with each of these.
The Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical.
What are Administrative Safeguards?
The Security Rule administrative safeguard provisions require CEs and BAs to perform a risk analysis. Performing a risk analysis helps you to determine what security measures are reasonable and appropriate