Security Rule Requirements
The Security
Rule requires health care providers
to maintain reasonable and appropriate administrative,
technical, and physical safeguards for protecting electronic protected
health information (e-PHI). Specifically, health care providers must:
- Ensure the confidentiality, integrity, and
availability of all e-PHI they create, receive, maintain, or transmit;
- Identify and protect against reasonably
anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated,
impermissible uses or disclosures; and
- Ensure compliance by their workforce.
The Security
Rule does not dictate which security measures a health care provider must use.
Instead, the rule requires the health care provider to consider:
- Its size, complexity, and capabilities;
- Its technical, hardware, and software
infrastructure;
- The costs of security measures; and
- The likelihood and possible impact of
potential risks to e-PHI.
In addition,
health care providers are also required to document, review, and, as needed, modify their security measures.
Administrative Safeguards
The Security
Rule requires covered entities to put in place the following administrative
safeguards: