It is advisable to periodically review the principles of the HIPAA Rules to remind ourselves of the importance of the regulations. Here we will review the principles of the Security Rule.
The Security Rule is based on three principles: comprehensiveness, scalability, and technology neutrality.
Comprehensiveness: This refers to the fact that the Security Rule addresses all aspects of security. This means that security measures address confidentiality, data integrity, and availability.
Scalability: This assures that the Security Rule can be effectively implemented by covered entities of all types and sizes.
Technology neutrality: This means the Security Rule does not define specific technology requirements, thereby allowing covered entities to make use of future technology advancements.
Comprehensiveness: The Privacy Rule is pervasive and impacts virtually every aspect of operations. The Security Rule is even more pervasive. It must be understood and practiced by every person in the office.
Privacy and Security are tightly linked. There are many similarities between the Privacy and Security standards. For example, both have sanction policies, required training, business associate contracts, compliance, and compliance officer requirements. Privacy has "minimum necessary" and "NPP Uses and Disclosures" standards, whereas Security has similar "Information Access Management", "access controls," and "Information System Activity Review" standards.
The Security Rule is not just about technical controls; it is about people doing what they are supposed to do. It is focused on PHI when it is maintained in your computer systems and as it is transmitted throughout an internal or external network or in any other "electronic media". The Security Rule standards safeguard ePHI (electronic PHI) from unauthorized access, alteration, deletion, and transmission.
Scalable: You should be able to fit the Security Rule to your needs, whether you have a small office or a large clinic. The Security Rule emphasizes being reasonable and appropriate.
Reasonable and Appropriate
The Security Rule specifically provides factors to be considered when determining which security measures to be used. These measures are:
1) Size, complexity, and capabilities
2) Technical infrastructure, hardware, and software security capabilities
3) Costs of security measures
4) Probability and criticality of potential risks to ePHI
The Security Rule cautions that the cost is not meant to free covered entities from the adequate security measures responsibility.
Risk Analysis and Risk Management
The Security Rule specifies that you must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI your practice holds and implement security measures that are reasonable and appropriate to reduce risks and vulnerabilities to an acceptable level.
Technology Neutrality: The concept of technology neutrality is based on the fact that information technology changes very rapidly. A technology-neutral standard allows the Security Rule to be stable, yet flexible enough to take advantage of the newest technologies available.