Blogs Home
Tuesday, June 23, 2015 1:41 AM

What is Reasonable and Appropriate under the HIPAA Security Rule?

Written by Bill Leonard, Vice President, Professional Services - iatricSystems

HIPAA Security Rule – reasonable and appropriate image

I am often faced with the following question from customers: "Can you tell me specifically what we need to do to comply with HIPAA’s information system activity review requirement…What is ‘reasonable and appropriate’?"

As with many government requirements, there is confusion and misunderstanding of the Security Rule that results in many gaps in organizations’ healthcare security and compliance programs. The below excerpt is from the HHS site, defining the general rules:

The general section of this document states:

"What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources."

We all understand that it is impossible to manually look at all patient access logs from all systems that contain e-PHI to safeguard patient information. But we can’t take the stance, “I am a small covered entity (or Business Associate) and do not have the resources to devote to this problem,” and simply choose to do nothing. I doubt this would fly with the Office of Civil Rights during an audit. 

At Iatric Systems, we believe that every organization, regardless of size, should be using technology to help identify potential privacy breaches. Computers are great for doing the heavy lifting when it comes to reviewing audit logs and can sift through the thousands or millions of accesses that happen in an organization every day and provide you with a list of the ones that are most likely to be inappropriate.

By using technology that can identify the accesses that are most likely inappropriate, organizations can apply a risk-based approach to patient privacy, which will satisfy the "reasonable and appropriate" measure.

So, if your organization determines that based on size and resources you can only investigate 50 or 100 accesses per month, and you use technology to point you to the ones that are the most likely to be inappropriate, you stand a much better chance of the OCR agreeing with you than an organization that does not. 

In 2014, Iatric Systems worked with our customer Intermountain Healthcare to create a product called Auditor’s Desktop that uses analytics to identify and rank the most probable cases of privacy breaches.

Every night, Auditor’s Desktop runs algorithms against newly imported access logs, assigns weights to each specific case, and then ranks them by severity, so the organization’s Patient Privacy Officer can easily make an audit determination. Using this risk-based approach, healthcare organizations can see, at a glance, those cases that require further investigation.

Monthly, we hold a webcast demonstration showing how this can be accomplished.


In summary, a health care organization must implement an information system activity review process that is reasonable and appropriate for the size and resources of their organization, while remembering that doing nothing is not a viable option.

The information system activity review process is a key component in the continuum of diligence that helps to maintain patient trust, and maintaining patient trust is crucial in providing great quality care.