Overview:
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
Action Items:
1) Verify that the organization reviews their security measures at least annually to evaluate their security program to determine reasonable and appropriate steps to improve protections for protected personal health information.
2) To determine which security measures the entity implements, the covered entity or business associate should ensure the following factors are taken into account: the covered entity's size, complexity, and capabilities; it's technical infrastructure, hardware, and software security capabilities; the cost of security measures; the probability and criticality of potential risks to ePHI.
Related Documents:
1) Documented list of security measures implemented by the covered entity
2) Documentation that outlines the following as it relates to the covered entity: the covered entity's size, complexity, and capabilities; it's technical infrastructure, hardware, and software security capabilities; the cost of security measures; the probability and criticality of potential risks to ePHI.
Additional Guidance:
To determine which security measures the entity implements, the covered entity or business associate should take into account the following factors.
1. It's size, complexity, and capabilities.
2. It's technical infrastructure, hardware, and software security capabilities.
3. The costs of security measures.
4. The probability and criticality of potential risks to EPHI.
Article ID: 429
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-flexibility-of-approach-164-306-b-429.html