Security Rule Principles
It is advisable to periodically review the principles of the HIPAA Rules to remind ourselves of the importance of the regulations. Here we will review the principles of the Security Rule.
The Security Rule is based on three principles: comprehensiveness, scalability and technology neutrality.
This refers to the fact that the Security Rule addresses all aspects of security. This means that security measures address confidentiality, data integrity, and availability.
This assures that the Security Rule can be effectively implemented by covered entities of all types and sizes.
· Technology neutrality
This means the Security Rule does not define specific technology requirements, thereby allowing covered entities to make use of future technology advancements.
The Privacy Rule is pervasive and impacts virtually every aspect of operations. The Security Rule is even more pervasive. It must be understood and practiced by every person in the office.
Privacy and Security are tightly linked. The following chart shows the similarities between the Privacy and Security standards.
Privacy Standard Complementary Security Standard
Minimum Necessary Information Access Management Access Controls
Verification of Identity and Authority Person or Entity Authentication
Sanction Policy Sanction Policy
Business Associate Contracts Business Associate Contracts
Policies and Procedures Policies and Procedures
Privacy Compliance Officer Security Compliance Officer
Uses and Disclosures Information System Activity Review
Complaints to the Covered Entity Evaluation, Incident Procedures
Safeguards Facility Access Controls
Device and Media Controls
The Security Rule is not just about technical controls; it is about people doing what they are supposed to do. It is focused on PHI when it is maintained in your computer systems and as it is transmitted throughout an internal or external network or in any other “electronic media”. The Security Rule standards safeguard ePHI (electronic PHI) from unauthorized access, alteration, deletion, and transmission.
You should be able to fit the Security Rule to your needs – whether you have a small office or a large clinic. The Security Rule emphasizes being reasonable and appropriate.
Reasonable and Appropriate
The Security Rule specifically provides factors to be considered when determining which security measures to be used. These measures are:
· Size, complexity, and capabilities
· Technical infrastructure, hardware, and software security capabilities
· Costs of security measures
· Probability of potential risks to ePHI
The Security Rule cautions that the cost is not meant to free covered entities from the adequate security measures responsibility.
Risk Analysis and Risk Management
The Security Rule specifies that you must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI your practice holds and implement security measures that are reasonable and appropriate to reduce risks and vulnerabilities to an acceptable level.
The concept of technology neutrality is based on the fact that information technology changes very rapidly. A technology neutral standard allows the Security Rule to be stable, yet flexible enough to take advantage of the newest technologies available.