|
On
August 12, 1998, the Department of Health and Human Services
(HHS) published the proposed Security and Electronic Signature
Standards (Security Rule). The statutory requirements for
the Security Rule, a federal regulation, are contained in
the Administrative Simplification provisions of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA).
The final rule was published on February 20, 2003. The final
rule can be obtained at http://www.cms.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-2-12-03.pdf.
Health
plans, physicians, other providers, and clearinghouses that
participate in programs administered by the Department of
Health and Human Services (HHS), other federal agencies and
state Medicaid agencies must comply with the final Security
Rule. As such, health plans, physicians, providers, and clearinghouses
are required to ensure that the confidentiality and privacy
of individuals’ protected health information (PHI) that
is electronically collected, maintained, used, or transmitted
is secure.
The
Security Rule has two major components: the Security Standard
and the Electronic Signature Standard.
I.
The Security Standard
The
Security Standard establishes requirements that facilitate
the medical practice’s storage, maintenance, and transmission
of PHI in a secure electronic environment. It applies not
only to the transactions adopted under HIPAA, but also to
ALL PHI that is maintained or transmitted by an entity. Accordingly,
virtually every practice is covered.
II.
The Electronic Signature Standard
The Electronic Signature Standard, establishes measures
that must be used if and when a transaction requires the use
of an electronic signature. Unlike the Security Standard,
the Electronic Signature Standard applies ONLY
to the transactions adopted under HIPAA.
A
medical practice is NOT required to use electronic
signatures. If a practice chooses to do so, standards in the
Security Rule for verifying the identity of the message sender
or the signer of a document must be followed.
Medical
practices are not required to implement the Security Rule
in any particular order and can therefore do so in a manner
that best suits the individual practice. Additionally, the
Security Rule is technology neutral. This means that it neither
refers to nor advocates specific technology such as certain
information systems, hardware, or software, only that it is
compliant with the Security Rule. Practices are encouraged
to speak with computer software vendors to verify compliance.
The
ACC is the process of developing a separate Security Manual
that will provide a step-by-step process for becoming compliant.
Physician practices will have exactly two years (24 months)
to ensure that they and their vendors are fully compliant.
The deadline for compliance with the Security Rule is February
20, 2005.
Security
Rule Terms
Secure Electronic Environment—an environment
that has administrative procedures, physical safeguards, and
technical security services and mechanisms in place. It also
includes the implementation of an electronic signature standard
if the practice uses an electronic signature.
Administrative
Procedures—formal, documented processes to
protect PHI. This includes the selection and execution of
security measures and the management of personnel as it relates
to protecting PHI.
Physical
Safeguards—procedures to protect computer systems,
buildings, and other equipment from fire, other natural and
environmental hazards, and intrusion.
Technical
Security Services—processes that are implemented
to control and monitor access to PHI such as passwords.
Technical
Security Mechanisms—processes implemented to
prevent unauthorized access to data that is transmitted over
a communications network (Internet, Intranet, fax machine,
etc.).
Electronic
signature—an element that is attached to an
electronic document to identify the signer.
| 
