regulators and healthcare providers must work in a collaborative and
transparent environment to deliver high quality, low cost, and accessible care.
However, the flexibility of the Security Rule also illuminates some shortfalls
when it comes to protecting e-PHI from cyber-attacks.
HHS rulemaking does not mandate a specific set of security measures;
rather, a covered entity (or business associate) “may use any security
measures that allow [it] to reasonably and appropriately implement the
standards and implementation specifications as specified” in the Security
Rule. 38 In deciding which security measures to use in satisfaction of the
“reasonable and appropriate” test, the following factors must be considered:
1. The size, complexity, and capabilities of the covered
entity or business associate;
2. The covered entity’s or business associate’s technical
infrastructure, hardware, and software security
3. The costs of security measures; and
4. The probability and criticality of potential risks to
electronic protected health information. 39
This amorphous test comports with the flexibility built into HIPAA’s
regulatory framework. Companies can implement security measures based
on their unique circumstances and still comply with the law. But given the
swelling “probability” and “criticality” of cyber-security threats facing the
healthcare industry as a whole (the fourth factor above), the reasonableness
and appropriateness of the security implementation measures chosen could
be very difficult to defend following an external breach. For example, in the
case of a corporation that handles large amounts of PHI and has vast
economic resources to devote to health IT security, anything less than the
implementation of state-of-the-art cybersecurity processes and controls may
be viewed as insufficient.
The implementation specifications under the Security Rule include
administrative, physical, and technical safeguards which outline security
measures HHS will evaluate in the event of a breach investigation. 40 The
specifications are broken down into two general categories: “required” ( i.e.,
must be implemented by the entity in the manner set forth in applicable
38. 45 C.F.R. § 164.306(b)( 1) (2013) (emphasis added).
39. Id. § 164.306(b)( 2) (2013).
40. See id. § 164.308–164.316 (2013).