Starting today I would like to start writing about CFR Rules for HIPA Privacy and Security and would like share my thoughts around them.
Below are some CFRs I will start analyzing this week:
See: 45 CFR § 164.306(d)(3) detailing the difference between “Addressable” and “Required” implementation specifications athttp://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1306;
45 CFR § 164.312(a)(2)(iv) labeling encryption and decryption as “Addressable” at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1312; and
the HHS HIPAA Encryption FAQ at http://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html
45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii).