Security Rule
Principles
The Security Rule is based on three principles:
comprehensiveness, scalability and technology neutrality.
·
Comprehensiveness
This refers to the fact that the
Security Rule addresses all aspects of security. This means that security measures address
confidentiality, data integrity, and availability.
·
Scalability
This assures that the Security
Rule can be effectively implemented by covered entities of all types and sizes.
·
Technology
neutrality
This means the Security Rule
does not define specific technology requirements, thereby allowing covered
entities to make use of future technology advancements.
Comprehensive
The Privacy Rule is pervasive and impacts virtually every
aspect of operations. The Security Rule
is even more pervasive. It must be
understood and practiced by every person in the office.
Privacy and Security are tightly linked. The following chart shows the similarities
between the Privacy and Security standards.
Privacy Standard Complementary Security Standard
Minimum Necessary Information
Access Management Access
Controls
Verification of Identity and Authority Person or Entity Authentication
Sanction Policy Sanction
Policy
Training Training
Business Associate Contracts Business Associate Contracts
Policies and Procedures Policies
and Procedures
Privacy Compliance Officer Security
Compliance Officer
Uses and Disclosures Information System Activity Review
Complaints to the Covered Entity Evaluation, Incident
Procedures
Safeguards Facility
Access Controls
Workstation
Security
Device
and Media Controls
The Security Rule is not just about technical controls; it
is about people doing what they are supposed to do. It is focused on PHI when it is maintained in
your computer systems and as it is transmitted throughout an internal or
external network or in any other “electronic media”. The Security Rule standards safeguard ePHI
(electronic PHI) from unauthorized access, alteration, deletion, and
transmission.
Scalable
You should be able to fit the Security Rule to your needs
– whether you have a small office or a large clinic. The Security Rule emphasizes being reasonable
and appropriate.
Reasonable and Appropriate
The Security Rule specifically provides factors to be
considered when determining which security measures to be used. These measures are:
·
Size, complexity, and capabilities
·
Technical infrastructure, hardware, and software
security capabilities
·
Costs of security measures
·
Probability of potential risks
to ePHI
The Security Rule cautions that the cost is not meant to
free covered entities from the adequate security measures responsibility.
Risk Analysis and Risk Management
The Security Rule specifies that you must conduct an
accurate and thorough assessment of the potential risks and vulnerabilities to
the confidentiality, integrity, and availability of ePHI your practice holds
and implement security measures that are reasonable and appropriate to reduce
risks and vulnerabilities to an acceptable level.
Technology Neutral
The concept of technology neutrality is based on the fact
that information technology changes very rapidly. A technology neutral standard allows the
Security Rule to be stable, yet flexible enough to take advantage of the newest
technologies available.
No comments:
Post a Comment