Small-practice requirements

Q: I'm an FP in a three-person practice. Under the security rule, must I implement the same safeguards as a larger practice?

A: No. The security rule allows for "scalability," which, in simple terms, means that one size doesn't fit all. After all, entities affected by the rule range from small practices like yours, with rudimentary technology, limited resources, and low risk exposure, to large private and university health systems, with quite developed information technology, broad resources, and very high risk exposure. Given this range, the government allows flexibility in the security rule, depending on specific circumstances.

Consider, for example, one of the data security standards. It not only requires that you back up data, but that you store this backed up data in a secure location, with controlled access. A large provider-a hospital system, say-may achieve compliance by storing its backed-up information off site, in a secure computer facility. A smaller practice like yours, however, may simply need to back up data on CDs or other media and store these in a locked closet or room, preferably off site.