HIPAA Security Rule
Introduction
Thousands of US organizations must comply with the
Health Insurance Portability and Accountability Act
(HIPAA) Security Rule. The Security Rule is a key
part of HIPAA — federal legislation that was
passed into law in August 1996. The overall purpose
of the act is to enable better access to health insurance,
reduce fraud and abuse, and lower the overall cost
of health care in the United States.
If your organization is a Covered Entity (one
that must comply with HIPAA), it is imperative
that you understand the rule and take the necessary
steps toward compliance. This article presents
a detailed overview of the Security Rule and key
factors you should consider when preparing to comply
with the rule.
The basics
| WHAT |
The rule
applies to electronic protected
health information (EPHI),
which is individually identifiable
health information (IIHI)
in electronic form. IIHI
relates to 1) an individual's
past, present, or future
physical or mental health
or condition, 2) an individual's
provision of health care,
or 3) past, present, or
future payment for provision
of health care to an individual.
The primary objective of
the Security Rule is to
protect the confidentiality,
integrity, and availability
of EPHI when it is stored,
maintained, or transmitted. |
| |
|
| Who |
Covered Entities (CEs)
must comply with the Security
Rule. These are health
plans (HMOs, group health
plans, etc.), health care
clearinghouses (billing
and repricing companies,
etc.), or health care providers
(doctors, dentists, hospitals,
etc.) who transmit any
EPHI. |
| |
|
| How |
CEs must maintain reasonable
and appropriate administrative,
physical, and technical
safeguards to protect the
confidentiality, integrity,
and availability of their
EPHI against any reasonably
anticipated risks. |
| |
|
| When |
The final Security Rule
became effective as of
April 21, 2003. Most CEs
must be in compliance by
April 20, 2005; small health
plans (those with annual
receipts of $5 million
or less) have until April
21, 2006. |
Health care consumers expect their medical information
to be appropriately protected. After much delay,
the HIPAA Security Rule has arrived in an effort
to address their concerns. Compliance will require
CEs to (1) identify the risks to their EPHI and
(2) implement a wide variety of security best practices.
Complying with the Security Rule can require significant
time and resources. Now is the time to begin compliance
efforts.
For additional information and a copy of the final
rule, please refer to the CMS
website.
|
