FAQ 2007 How can a small provider implement the standards in Security Rule?
This guidance explains that the Security Rule standards allow any covered entity (including small providers) to use any security measures that help the covered entity to reasonably and appropriately implement the standards to protect electronic health information.
Final
Issued by: Office for Civil Rights (OCR)
How can a small provider implement the standards in Security Rule?
Answer:
The Security Rule standards allow any covered entity (including small providers) to use any security measures that help the covered entity to reasonably and appropriately implement the standards to protect electronic health information. In deciding what security measures to use, a covered entity can take into account its size, capabilities, and costs of security measures. A small provider who is a covered entity would first assess their security risks and vulnerabilities and the mechanisms currently in place to mitigate those risks and vulnerabilities. Following this assessment, they should determine what additional measures, if any, need to be taken to meet the standards; taking into account their capabilities and the cost of those measures. For more information on the implementation of the Security Rule by small providers, please see the Security Paper Educational Series. - PDF
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.