A slippery and relative term, one that is used, but not defined, in the Code of Federal Regulations. What is “reasonable and appropriate” for one organization will not be reasonable and appropriate for another.
“Reasonable and appropriate” measures start with comprehensive security risk analysis, based on a recognized framework. The analysis’ results determine the appropriate methods of communicating protected HIPAA information.
The results are then input into an organizational risk management program that examines HIPAA reasonable accommodation and considers:
- The size, complexity, and capabilities of the covered entity or business associate.
- The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities;
- The costs of security measures.
- The probability and criticality of potential risks to electronic protected health information.
The analysis measures HIPAA privacy security and appropriate access. It also determines which risks to manage and which risks to accept for the organization as a whole.