Q&A: HITECH changes to HIPAA Security Rule?
Q: Did HITECH change any HIPAA Security Rule implementation specifications from addressable to required?
A: No, HITECH did not change any HIPAA Security Rule implementation specifications. However, entities should note that the HITECH breach notification provisions and the interim final rule require notification if electronic PHI is not encrypted. This does not change the Security Rule’s encryption-related implementation specifications from addressable to required, but it does provide significant incentive to implement encryption solutions.
You should incorporate any addressable implementation specification into a sound security program unless there is solid justification why the implementation specification cannot or does not need to be implemented. The reason cannot be solely based on cost.
This means that there may have been sound justification for not implementing an implementation
specification in the past, but technology, practices, and security threats may have changed to the point where covered entities and BAs can no longer justify not implementing an addressable implementation specification. (See 45 CFR 164.400–164.414 and 45 CFR 164.312.)
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the September issue of Briefings on HIPAA.
- Two-Midnight Rule Must be Fixed or Replaced, Say Providers
- CDC Warns of Antibiotic Overuse in Hospitals
- AHRQ: Surgical Admissions Bring 48% of Hospital Revenue
- Care Coordination Tough to Define, Measure
- HIMSS: Software Bugs, Shifting Alliances Unsettling for CIOs
- Hospitals Adapting Amid Continued Drug Shortages
- Evidence-Based Practice and Nursing Research: Avoiding Confusion
- Steep Drop Seen in Medically Unnecessary C-Sections
- SCOTUS Review of NC Board Case 'A Very Big Deal' to Providers
- As Allegations Swirl, Baylor Plano Rejects Baldrige Award