skip to: page content | links on this page | site navigation | footer (site information)

 

Company | Support | Contact Us
Privacy | Transactions and Code Sets | Security | Identifiers
HIPAA Navigator | HIPAA SLP | Manuals
Approach | Assessment | Implementation | Training | Evaluation | Maintenance
For Providers | For Health Plans | FAQ | Free Downloads
For Providers | For Health Plans | For Attorneys | For Security Professionals
subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link
subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link

Security

 

The Security Rule was finalized on February 20, 2003, and includes some significant changes from the proposed rule. It has been simplified, and key sections were removed, such as that dealing with electronic signatures. In addition, some of the implementation speficications (technical requirements) have been designated as 'Addressable' - meaning that covered entities have additional latitude to select and implement specific technology solutions, based on whether the requirement is 'reasonable' and 'appropriate' given the size of their organization and operations.

HIPAA Security regulations

The federal regulations have been revised. You can find the revised regulations here, as well as the original documents. We are also have the Proposed Rule, as we have found it useful - it contains detail that the revised regulations do not have, with regard to specifications.

HIPAA Security requirements

All health plans, clearinghouses and healthcare providers who submit transactions electronically must comply with HIPAA Security requirements. Covered entities have already seen some security requirements in the Privacy Rule. Privacy required the implementation of Reasonable Safeguards for protected health information, such as controlling access to where information is stored and processed. The Security Rule introduces requirements to protect electronic protected health information (ePHI), and requires safeguards in the following three categories:

Administrative Safeguards – policies and procedures to control access to electronic protected health information and ensure business continuity in case of disaster or emergency

Physical Safeguards – policies, procedures and measures to control physical access to electronic protected health information

Technical Safeguards – policies, procedures and mechanisms to control access to electronic protected health information and ensure the integrity of data

In addition,

  • Policies and procedures must be updated to reflect privacy requirements
  • Business Associate agreements must be signed
  • A Security Official must be identified
  • Compliance must be documented
  • Staff must be trained

Vendors

Many covered entities, especially providers and small health plans, will need to depend on vendors to comply with Security requirements. There is a variety of technology vendors in the healthcare industry, from software vendors, to computer and network hardware and service companies, to specialized security companies. As with Transactions requirements, covered entities will need to exercise their own ‘due diligence’ in making sure that their existing vendor(s) have the necessary background and expertise to implement HIPAA Security, or in selecting a new vendor.

Privacy Policy | Legal Notice | ©2001-2008 HIPAAssociates, Inc.