52 Journal of Regulatory Compliance Vol. I
regulations) and “addressable.” 41 For the latter, specific rules must be
considered to determine whether a given measure is reasonable and
appropriate. 42 The entity must first assess whether the particular safeguard is
reasonable and appropriate in its environment relative to the contribution the
measure would have in protecting e-PHI. (This essentially tracks the four-factor test above.) 43 It then must either implement the specification if
reasonable and appropriate, or if implementing the specification is not
reasonable and appropriate: ( 1) document the basis for making that
determination; 44 and ( 2) implement an equivalent alternative measure if
The foregoing rules structure makes clear that, while covered entities and
business associates are free to implement security protections tailored to their
own circumstances, they must be able to defend their decisions. Those
decisions, particularly regarding the “addressable” measures, may draw
rigorous scrutiny moving forward because it is one of the few tools HHS has
to incentivize increased cybersecurity measures. Thus, it is important to
understand the implementation safeguards currently set out in the Security
1. Administrative Safeguards
In general, the required administrative safeguards include the
implementation of policies and procedures to “prevent, detect, contain, and
correct security violations.” 46 This includes, among other things, an
“accurate and thorough assessment of the potential risks and vulnerabilities
to the confidentiality, integrity, and availability” of e-PHI, and security
measures sufficient to reduce any identified risks and vulnerabilities. 47 It also
requires a “sanctions policy against workforce members who fail to comply”
with the company’s security policies and procedures, and procedures to
“regularly review records of information system activity, such as audit logs,
access reports, and security incident tracking reports.” 48 Further, in the event
of a security emergency, companies must have a data backup plan, a disaster
recovery plan to restore any lost data, and procedures to enable continuation
of critical business processes to secure e-PHI while operating in “emergency
41. Id. § 164.306(d)( 1) (2013).
43. Id. §164.306(d)( 3)( i) (2013).
44. Id. § 164.306(d)( 3)( ii) (2013).
46. Id. § 164.308(a)( 1)( ii)( B) (2013).
47. Id. § 164.308(a)( 1)( ii)( A) (2013).
48. Id. § 164.308(a)( 1)( ii)( C)–(D) (2013).