> Covered entities must "[protect] against any reasonably anticipated threats or hazards to the security or integrity of such [electronic protected health information the covered entity creates, receives, maintains, or transmits]" (45 C.F.R. § 164.306(a), http://www.law.cornell.edu/cfr/text/45/164.306).
But they also have freedom to select the particular security measures to use, considering: "(i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information." 45 C.F.R. § 164.306(b)
> HIPAA and similar laws don't codify whatever we think is good computing practice today.
No, but that's what implementing regulations usually do. HIPAA regs mostly don't include minimum technical standards (most of the security minimum standards are procedural).
> Congress would have to re-write the law any time GCPs change
Well, sure, if the minimum standards were written into the statute, which is why they are usually in the much-easier-to-change implementing regulations. The guidance under the HITECH act in effect did some of this for HIPAA PHI, as it created minimum standards for PHI to be considered "secured". But, generally, there's not much there, and its very difficult to make a solid case that any particular technical practice is necessarily a violation of the HIPAA Security Rule.
But they also have freedom to select the particular security measures to use, considering: "(i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information." 45 C.F.R. § 164.306(b)
> HIPAA and similar laws don't codify whatever we think is good computing practice today.
No, but that's what implementing regulations usually do. HIPAA regs mostly don't include minimum technical standards (most of the security minimum standards are procedural).
> Congress would have to re-write the law any time GCPs change
Well, sure, if the minimum standards were written into the statute, which is why they are usually in the much-easier-to-change implementing regulations. The guidance under the HITECH act in effect did some of this for HIPAA PHI, as it created minimum standards for PHI to be considered "secured". But, generally, there's not much there, and its very difficult to make a solid case that any particular technical practice is necessarily a violation of the HIPAA Security Rule.