In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required.
What to Do
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the security standard as outlined in 45 CFR 306(a). The general requirements are:
1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the Privacy Rule].
4. Ensure compliance with this subpart by its workforce.
How to Do It
This implementation specification requires the covered entity to develop and implement a plan to manage risks that it identified in its Risk Analysis. The risk management plan will provide the foundation for implementation of the covered entity’s security policies and procedures. In preparing the plan, the covered entity may take into consideration the following factors under the “flexibility of approach” general rule that underpins the Security Rule:
» “The size, complexity, and capabilities of the covered entity.”
» “The covered entity’s technical infrastructure, hardware, and software security capabilities.”
» “The costs of security measures.”
» “The probability and criticality of potential risks to electronic protected health information.”
Risks change over time, so the covered entity must use ongoing efforts to ensure an acceptable level of risk. As an example, passwords must be changed on a regular basis to maintain an acceptable level of risk regarding unauthorized system access.