The HIPAA Security Rule which sets forth standard security requirements for protecting health information was developed by the Department of Health and Human Services and published in 2003. The requirement that a HIPAA Security Rule be developed arose from the Health Insurance Portability and Accountability Act of 1996. The Security Rule applies to covered entities and their business associates.
The HIPAA Security Rule was written with the knowledge that covered entities and business associates may range from small businesses of a few individuals to multi-national organizations. Therefore, the Security Rule is able to be scaled to the entity. There is no one size fits all answer.
Covered entities are required to be in compliance with every Security Rule standard. However, the Security Rule categorizes implementation specifications as either required or addressable. Just as you’d expect, the required implementation specifications must be implemented by all covered entities. Addressable implementation specifications are not optional, but the Security Rule permits covered entities to assess addressable implementation specifications to determine if they are appropriate and reasonable to that entity. If it is not, covered entities are allowed to implement an alternative solution that is “reasonable and appropriate.” Each covered entity is expected to determine what particular security measures within the Security Role are “appropriate and reasonable” for them based on several factors including size, complexity, infrastructure, cost, and risks.
In relation to determining, implementing, and maintaining security measures, covered entities must perform a risk assessment of the security controls in place with regard to the Security Rule and review and revise the risk assessment on a regular basis to account for changes in their environment. Again, the Security Rule stresses that measures put in place by the covered entity to secure ePHI should be “reasonable and appropriate” for that particular organization.