Q&A: HITECH changes to HIPAA Security Rule?
Q: Did HITECH change any HIPAA Security Rule implementation specifications from addressable to required?
A: No, HITECH did not change any HIPAA Security Rule implementation specifications. However, entities should note that the HITECH breach notification provisions and the interim final rule require notification if electronic PHI is not encrypted. This does not change the Security Rule’s encryption-related implementation specifications from addressable to required, but it does provide significant incentive to implement encryption solutions.
You should incorporate any addressable implementation specification into a sound security program unless there is solid justification why the implementation specification cannot or does not need to be implemented. The reason cannot be solely based on cost.
This means that there may have been sound justification for not implementing an implementation
specification in the past, but technology, practices, and security threats may have changed to the point where covered entities and BAs can no longer justify not implementing an addressable implementation specification. (See 45 CFR 164.400–164.414 and 45 CFR 164.312.)
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the September issue of Briefings on HIPAA.
- As Medicare Advantage Cuts Loom, Disagreement Over Program's Stability
- 3 Management Lessons from a Supermarket Debacle
- Medicare Advantage Carriers See 'No Choice' But to Accept Cuts
- Physicians to Appeal 'Docs v. Glocks' Ruling in FL
- CA Fines 8 Hospitals for Medical Errors
- Centralizing the Revenue Cycle Protects the Bottom Line
- Revenue Cycles Get a Boost from Simple JPEG Files
- IOM Identifies GME Problems, Calls for Finance Changes
- Employers Weigh Risks, Benefits of Private Exchanges
- Doctors Feel Pressure to Accept Risk-based Reimbursement