In our last post, we discussed the four principal objectives of the Security Rule (§160.306(a)).
We mentioned that although the items enumerated did not appear unreasonable or overly burdensome, the devil was in the details. So here are some of those details.
The Security Rule contains a concept called the "Flexibility Approach;" what others refer to as the Security Rule's guiding principle. In essence, the flexibility principle enumerates four factors that a Business Associate should consider when deciding how to "reasonably and appropriately" implement the standards and implementation specifications.
The four Security Rule Flexibility Factors are as follows:
- The size, complexity, and capabilities of the BA.
- The BA's technical infrastructure, hardware, and software security capabilities.
- The costs of security measures.
- The probability and criticality of potential risks to ePHI.
More on the standards and implementation specifications next time.