HIPAA security rule now in its final form
HIPAA security rule now in its final form
Signature standard not included
Final security standards under the Health Insurance Portability and Accountability Act (HIPAA) for protecting patient health information when it is maintained or transmitted electronically have been adopted by the Department of Health and Human Services (HHS).
All "covered entities," which include health care providers, health plans, and health care clearinghouses, must comply with the rule, which was published Feb. 20 in the Federal Register. It includes the following provisions:
- All work force members, including management, must receive security awareness training.
- Organizations must conduct risk analyses to determine information security risks and vulnerabilities.
- Organizations must establish policies and procedures that allow access to electronic protected health information (PHI) on a need-to-know basis.
- Organizations must implement audit controls that record and examine who has logged into information systems that contain PHI.
- Organizations must limit physical access to facilities that contain electronic PHI.
- Organizations must establish and enforce sanctions against members of the work force who don’t follow information security policies and procedures.
The electronic signature standard, a component of the proposed rule, was removed from the final version, which was published in the Feb. 20, 2003, Federal Register. HHS has said it will publish that standard in a separate final rule, but did not say when.
Some security experts have said the rule, while well integrated with the HIPAA privacy rule, lacks specific guidance in some critical areas, such as the requirement that encryption be used "only when deemed appropriate."
John Christiansen, JD, an attorney with Preston Gates in Seattle, has said the HHS accomplished one of its goals, which was to integrate the security rule with the privacy rule. He said many redundancies had been eliminated, in addition to some unclear concepts and rules.
For example, the chain of trust agreement, a document that would require business partners to protect electronic PHI received from covered entities, was eliminated. Covered entities are required to accomplish this through business associate agreements, which are required under the privacy rule.
HHS writes in the rule’s preamble that the regulations are consistent with "generally accepted security principles."
The regulations will become enforceable for most covered entities, including hospitals, on April 21, 2005. Small health plans will have an additional year to comply. To view the final rule, go to www.access.gpo.gov.
Final security standards under the Health Insurance Portability and Accountability Act (HIPAA) for protecting patient health information when it is maintained or transmitted electronically have been adopted by the Department of Health and Human Services (HHS).Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.