Q&A: HITECH changes to HIPAA Security Rule?
Q: Did HITECH change any HIPAA Security Rule implementation specifications from addressable to required?
A: No, HITECH did not change any HIPAA Security Rule implementation specifications. However, entities should note that the HITECH breach notification provisions and the interim final rule require notification if electronic PHI is not encrypted. This does not change the Security Rule’s encryption-related implementation specifications from addressable to required, but it does provide significant incentive to implement encryption solutions.
You should incorporate any addressable implementation specification into a sound security program unless there is solid justification why the implementation specification cannot or does not need to be implemented. The reason cannot be solely based on cost.
This means that there may have been sound justification for not implementing an implementation
specification in the past, but technology, practices, and security threats may have changed to the point where covered entities and BAs can no longer justify not implementing an addressable implementation specification. (See 45 CFR 164.400–164.414 and 45 CFR 164.312.)
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the September issue of Briefings on HIPAA.
- Drug Pricing 'Tantamount to Greed,' Lawmaker Says
- CVS Ramps Up Retail Clinics with Provider Affiliations
- Study Puts Spotlight on Preventing Fall-Related Injuries
- Wanted: Nurse PhDs
- Surgical Checklists Unused in 10% of Hospitals, CMS Data Shows
- The Infection-Busting Treatment Payers Don’t Want to Talk About
- Contradictory Obamacare Rulings Issued by Appellate Courts
- 4 Tectonic Shifts Shaking Up Healthcare
- As HIPAA Breaches Accelerate, Tools Lag
- Doctors Feel Pressure to Accept Risk-based Reimbursement