Q&A: HITECH changes to HIPAA Security Rule?
Q: Did HITECH change any HIPAA Security Rule implementation specifications from addressable to required?
A: No, HITECH did not change any HIPAA Security Rule implementation specifications. However, entities should note that the HITECH breach notification provisions and the interim final rule require notification if electronic PHI is not encrypted. This does not change the Security Rule’s encryption-related implementation specifications from addressable to required, but it does provide significant incentive to implement encryption solutions.
You should incorporate any addressable implementation specification into a sound security program unless there is solid justification why the implementation specification cannot or does not need to be implemented. The reason cannot be solely based on cost.
This means that there may have been sound justification for not implementing an implementation
specification in the past, but technology, practices, and security threats may have changed to the point where covered entities and BAs can no longer justify not implementing an addressable implementation specification. (See 45 CFR 164.400–164.414 and 45 CFR 164.312.)
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the September issue of Briefings on HIPAA.
- CNO Leads $1M Charge for New Scrubs, Uniforms
- Targeting Self-Insured Populations
- Sharp HealthCare Leaves Pioneer ACO Program
- MA an Insurance Proving Ground for Providers
- mHealth Tackles Readmissions
- Acute Kidney Injury Gets New Focus
- 'Kafkaesque' Value System Unfairly Penalizes Doctor Pay
- States Without Medicaid Expansion Search for Alternatives
- Some Cancer Hospitals' Quality Data Will Soon Be Public
- Half of All Primary Care, Internal Medicine Jobs Unfilled in 2013