and implementation specifications (HIPAA)
Rule is divided into administrative,
safeguard requirements -- now called "standards,"
in keeping with the language used in the HIPAA statute and
the other rules.
The three safeguard
categories are further divided into "implementation specifications"
that delineate how each of the standards is to be implemented.
In some cases,
the standard itself contains enough information to describe
implementation requirements, so there is no separate specification.
(Note that in an earlier version of the Rule, standards were
called "requirements," and implementation specifications
were called "implementation features.")
The Security Rule
has both "required" and "addressable"
provisions for its administrative, physical and technical
safeguards. Required means just what you think -- it must
be done. Addressable specifications can be met by implementing:
- one or more
of the "addressable" specifications;
- one or more
alternative security measures;
- a combination
of both of these; or
entity must decide what approach is "reasonable and
appropriate" given its risk analysis, its mitigation
strategy for those risks, security measures already in place,
and the costs of alternatives.
a specific statutory mandate to consider the needs of small
and rural providers. DHHS has commented that it believes the
"scalability" of the security provisions meets this
requirement -- namely, that "the risk assessment and
[the] response to the assessment be based on the needs and
capabilities of the entity." (Final Rule, p.41)
The decision rule
is easy to list, even if what is "reasonable and appropriate"
may still be far from self-evident in many situations. If
an addressable provision is determined to be:
- reasonable and
appropriate given the circumstances of the covered entity,
it must be implemented;
or inappropriate, but the standard cannot be met without
it, then an alternative measure must be put in place;
or inappropriate, or simply not applicable to the situation,
and the standard can be met without even an alternative,
then nothing need be done.
In all cases the
covered entity must document
what it has (or has not) done to meet the standards in its
policies and procedures.
The rationale for the selection of an alternative, or to not
implement anything at all, must be documented with particular
thoroughness, including how the standard is being met via
DHHS has indicated
that it plans to issue guidance documents, similar to those
for the Privacy Rule, to
help covered entities interpret and apply the standards and
specifications of the Security Rule.