Q&A: HITECH changes to HIPAA Security Rule?
Q: Did HITECH change any HIPAA Security Rule implementation specifications from addressable to required?
A: No, HITECH did not change any HIPAA Security Rule implementation specifications. However, entities should note that the HITECH breach notification provisions and the interim final rule require notification if electronic PHI is not encrypted. This does not change the Security Rule’s encryption-related implementation specifications from addressable to required, but it does provide significant incentive to implement encryption solutions.
You should incorporate any addressable implementation specification into a sound security program unless there is solid justification why the implementation specification cannot or does not need to be implemented. The reason cannot be solely based on cost.
This means that there may have been sound justification for not implementing an implementation
specification in the past, but technology, practices, and security threats may have changed to the point where covered entities and BAs can no longer justify not implementing an addressable implementation specification. (See 45 CFR 164.400–164.414 and 45 CFR 164.312.)
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the September issue of Briefings on HIPAA.
- MU Compliance Announcement Sparks Concern, Confusion
- New G-Codes to Pay Doctors for Broad Array of Non-Face-to-Face Care
- Telehealth Improves Patient Care in ICUs
- CMS Sets 2014 Pay Rates for Hospital Outpatient and Physician Services
- Scary Financial Challenges for 2014
- States Rejecting Medicaid Expansion Forgo Billions in Federal Funds
- Douglas Hawthorne—A Chance to Do Something Big
- LifePoint Bolsters Presence in Michigan's Upper Peninsula
- Hospital M&A Volume Up, Value Down in 3Q
- Small Doesn't Mean Doomed