[ Friday, February 14, 2003 ]
New Security Regs: Quick Analysis:
John R. Christiansen, a Seattle health lawyer with Preston Gates & Ellis, had the following to say about the new Security Regs on one of the American Health Lawyers Association e-mail roundtables:
"Overall, I think I like it.
"HHS seems to have done a pretty good job of integrating it with the Privacy Rule, conceptually, in use of terminology, and in terms of reorganizing the codification (which won't really become helpful until it they are together in the Code of Federal Regulations). A number of redundancies have been eliminated, as have some unclear concepts and terms.
"There is what seems to be a useful new structure to the rules, which are now organized according to "standard" (which states a requirement in generalized terms) and "implementation specifications" (which identify what you do to meet a standard). Implementation specifications are then broken down into "required" and "addressable" specifications.
"A "required" specification is just what is says: Implement as stated. For example, risk analysis and risk management are required; so is security incident (now a defined term) response. (Note: the final rule continues the "technology-neutral" stance of the draft, so there are no required technology specifications).
" An "addressable" specification, on the other hand, is one where you must make a decision: Address the specification specifically, implement an alternative which covers the same general concept identified in the standard, do a combination of both, or do nothing. The decision what to do, however, must be reasonable based upon a risk assessment, and if an alternative solution is adopted or the decision is to do nothing, the basis for the decision must be documented. Thus, for example, the access authorization standard is implemented by addressable standards, allowing it to be "scaled" to the organization.
"This approach was implicit in the draft rule, but it was not clear how it applied or whether it applied to all standards. I think it will prove a helpful clarification.
"The general areas which must be addressed remain the same; covered entities (the term is now used in the rule) must address standards in the areas of administrative, physical and technical safeguards. However, a number of redundancies have been eliminated, and several useful definitions have been added or clarified. For example, chain of trust agreement requirements have been folded into business associate contracting.
"One point worth noting is that the draft rule required a risk assessment as the starting point for security determinations, but did not particularly emphasize it. It seems to me that there is more emphasis on risk assessment in the final rule, in that it is tied expressly in as the basis for making "addressable specification" choices.
"This is very much a process-oriented rule; I don't see safe harbors, but I do see a framework requiring informed, reasonable, appropriate and documented decision-making. The preamble repeatedly emphasizes that this shouldn't pose substantial financial or administrative hardship, assuming you've been reasonable about security already - but I'm not sure how valid that assumption always is.
"Finally, it's now official: electronic signatures are on a separate track, though apparently a rule is going to be published."
I'll post my analysis on the new Regs once I've had a chance to digest them. For the time being, however, paying work calls.
Jeff [10:41 AM]
Blogger: HIPAA Blog - Edit your Template