The HIPAA Security Rule is designed to protect the privacy of individuals’ health information while promoting the adoption of new technologies to improve the quality and efficiency of patient care.1 It is composed of standards with which organizations must comply, including a number of implementation specifications deemed either “required” or “addressable.” It is designed to allow organizations the flexibility to use “any security measures” by which an organization can reasonably and appropriately implement the standards and implementation specifications.2
Notwithstanding its flexible approach, the Security Rule is highly detailed and contains a number of specific requirements. In particular, compliance with the rule requires:
- identifying an individual who is responsible for the implementation and oversight of the Security Rule compliance program;
- conducting initial and ongoing risk assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, and addressing the identified issues;
- implementing a security awareness and training program for their workforce, and disciplining individual workers for failure to comply with the organization’s policies and procedures; and
- implementing administrative, physical, and technical policies and procedures that provide for limited role-based access to ePHI and prevent unauthorized access, use, disclosure, alteration, or destruction of ePHI throughout the organization’s environment, and that are auditable and evaluated for effectiveness periodically.3
1 Id. §§ 164.302-318.
2 Id. § 164.306.
3 Id. §§ 164.308, 310, 312.