HIPAA Security Rule Implementation
The focus of the HIPAA Security Rule is risk management. The Security Rule requires covered entities to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."
| In order to comply with the Security Rule each covered entity must: |
 |
Assess its own security risks |
|
Determine its risk tolerance or risk aversion |
|
Devise, implement and maintain appropriate security to address its business requirements |
|
Document is security decisions |
|
Appoint an Information Security Officer |
|
Amend privacy policies and procedures to coordinate with security policies and procedures |
|
Amend Business Associate Agreements |
To facilitate this risk management exercise, the Security Rule has developed "standards" and "specifications" that each covered entity must address as part of its compliance efforts. Each "standard" concerns some type of organizational structure or administrative, physical or technical safeguard required for security purposes. Standards are implemented by one or more "specifications" which are specific requirements or instructions for implementing a standard. The Security Rule outlines 18 standards covering 36 implementation specifications.
Back to Top of Page
Back to "HIPAA" Index | Back to "Update" Index
|
