Here Comes HIPAA Security
May 2003 Issue
So you just finished your Privacy Rule compliance effort and are finalizing your Electronic Transaction and Code Set testing and now you hear rumors about the HIPAA Security Rule being finalized. Is it true? Yes. The Security Rule was finalized and published on February 20, and if you are a covered entity, you will have to comply with it. The good news is that the compliance date for the Security Rule is not until February 21, 2005.
So as an O&P organization, why worry about the Security Rule now? What are the basics that your organization has to do in order to meet this rule? And just what is being secured?
Over the next several months, I will provide you with facts, requirements and the steps to help you with your HIPAA Security compliance efforts. By starting your Security compliance efforts now, you can plan appropriately for the resources, training, and budget that will be needed to meet the Security requirements. So grab a folder, label it "Security," and file away a copy of The O&P EDGE every month.
Do You Have To Comply?
This is a simple determination. If you were required to comply with the Privacy Rule or Electronic Transactions and Code Sets Rule, you are a covered entity and will have to comply with the Security Rule also.
What Will Be Protected by the Security Rule?
Protected Health Information (PHI) that is transmitted or maintained electronically.
Electronic media includes electronic storage media such as memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as a magnetic tape or disk, optical disk or a digital memory card. It also includes transmission media used to exchange information such as the Internet, an extranet, leased lines, dial-up lines, private networks and the physical movement of the removable/transportable electronic storage media.
Electronic media does not include paper, fax, and voice via telephone.
An O&P organization that is a covered entity must do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Security Rule; and
- Ensure compliance of the Security Rule by its workforce.
Required and Addressable Requirements
The Department of Health and Human Services (DHHS) allows the covered entity to be flexible in its approach to reasonably and appropriately put into effect the standards and implementation specifications. DHHS provides the flexibility by stating whether a Security Rule is "required" or "addressable."
If the specification is "required," the covered entity must implement the specification as stated in the Security Rule.
If the specification is "addressable," then the covered entity must:
1. Assess whether the specification is a reasonable and
appropriate safeguard in its environment and is likely to
contribute to protecting the entity's electronic protected health
2. Implement the specification or document why it would not be reasonable and appropriate. Implement an equivalent alternative measure if reasonable and appropriate.
In our next article we will look into the Security Rule and its "required" and "addressable" implementation specifications.
While all information is believed to be correct at the time of writing, this article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult with an attorney.
Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services including HIPAA compliance and customized training. Visit www.provaliant.com or contact Provaliant at 480.952.0656.