Flexibility of approach

§164.306(b): Flexibility of approach.
(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity or business associate. (ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.

Audit Inquiry

To determine which security measures the entity implements, the covered entity or business associate should take into account the following factors.
1. Its size, complexity, and capabilities.
2. Its technical infrastructure, hardware, and software security capabilities.
3. The costs of security measures.
4. The probability and criticality of potential risks to ePHI.

Use these general requirements and factors when assessing an entity’s compliance with the specific requirements of the Security Rule.