 |
 |
 |
 |
 |
HOME |  |
SECURITY | |
|
HIPAA | |
FORUMS | |
|
 |
 |
Ensuring that your organization is fully compliant with HIPAA Security Standards can be a daunting task. The requirements for compliance are many and varied and are mandated largely by the Department of Health and Human Services. Below we are offering some documentation that you can use to familiarize yourself with some of the compliance requirements, and hopefully answer some of the many questions that can be asked about the Act and it's relevance to your medical or healthcare related business. All documents are in PDF Format and can be viewed using Adobe Acrobat Reader. To see the full version of the document, click on the link below: Federal Register HIPAA Administrative Simplification Final Security Rule Standard. HIPAA Compliance Security Standards Cygnus Security Corporation specializes in assisting organizations which are required under the Federal Statues to be compliant with HIPAA security and privacy standards. Please keep in mind that the compliance deadline is April 20 2005. That means full implementation of the solutions that are required and/or addressable. If you are out of compliance today, you may not be in business tommorow! The Health Insurance Portability and Accountability Act states that an organization must have a key person responsible for Security Issues and continued compliance. We understand that most small businesses do not posses the required staff to handle such operations. We can serve as your organization's Chief Security Officer and ensure your compliance with any changes in the regulations that may arise as well ensure that your patient and customer information is secured and uncompromised. Please contact us today for all your HIPAA and Information Security needs. HIPAA Security Standards To improve the efficiency and effectiveness of the health care system, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which included a series of “administrative simplification” provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. All covered entities must be in compliance with the electronic transactions and code sets standards by October 16, 2003. The law is clear: October 16, 2003 is the deadline for covered entities to comply with HIPAA’s electronic transaction and code sets provisions. After that date, covered entities, including health plans, may not conduct noncompliant transactions. With the October deadline just ahead, HHS has received a number of inquiries expressing concern over the health care industry’s state of readiness. In response, the Department believes it is particularly important to outline its approach to enforcement of HIPAA’s electronic transactions and code sets provisions. The Department will continue to provide technical assistance and issue guidance on the transactions and code sets provisions and compliance therewith. April 13, 2003 was a landmark date for healthcare organizations through the United States .
|
 |
The final HIPAA Security Rule, published in the Federal Register on February 20, 2003, outlinesthe security standards, implementation standards, and requirements with which all covered entities(i.e., health plans, health care providers, and clearinghouses) must comply with respect to electronic protected health information. This section gives synopsis of the final rule. Each major section is summarized with a brief discussion included as to its potential impact on an entity's security practices.
Security Standards: General Rules (§164.306)
Section §164.306(a) states:
Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic
protected health information that the covered entity creates, receives, maintains or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the Privacy Rule].
(4) Ensure security compliance with this subpart by its workforce (Federal Register, vol. 68, no. 34, 8376). An entity can develop a flexible approach to their implementation of security, establishing reasonable and appropriate measures to meet the standards (i.e., the requirements) and the implementation specifications, the instructions for implementing these standards (Federal Register, vol. 68, no 34, 8336). The analysis must show that the agency has taken certain factors into consideration such as their environment, their capabilities, and the cost.
As specified by the Federal Register HIPAA Security Standards and subdivided into 3 major categories.
• Administrative Safeguards §164.308
• Physical Safeguards §164.310
• Technical Safeguards § 164.312
Covered entities will undergo a risk assessment process in order to ensure, acknowledge and mitigate the risks associated with Electronic Transmissions, Storage and proper Protection of PHI. The security specifications outline the “required” and “addressable” guidelines. Certain implementation specifications, such as encryption, are designated as “addressable” - an entity may elect not to implement those specifications or implement an alternative. However, the entity must clearly document their analysis of whether their implementation decisions meet the key elements of “reasonable and appropriate.” Logically, this should be done during the risk analysis required by §164.308(a)(ii)(A) with the decisions documented as part of those outcomes. The entity must also review this information and update it “as needed” to ensure continued protection of electronic PHI. The rule does not specify the interval, but the entity should follow best practices.
HIPAA Administrative Simplification Compliance Deadlines
Date |
Deadline |
October 15, 2002 |
Deadline to submit a compliance extension form for Electronic Health Care Transactions and Code Sets. |
October 16, 2002 |
Electronic Health Care Transactions and Code Sets - all covered entities except those who filed for an extension and are not a small health plan. |
April 14, 2003 |
Privacy - all covered entities except small health plans. |
April 16, 2003 |
Electronic Health Care Transactions and Code Sets - all covered entities must have started software and systems testing. |
October 16, 2003 |
Electronic Health Care Transactions and Code Sets - all covered entities who filed for an extension and small health plans. |
October 16, 2003 |
Medicare will only accept paper claims under limited circumstances. |
April 14, 2004 |
Privacy - small health plans. |
July 30, 2004 |
Employer Identifier Standard - all covered entities except small health plans. |
April 20, 2005 |
Security Standards - all covered entities except small health plans. |
August 1, 2005 |
Employer Identifier Standard - small health plans. |
April 20, 2006 |
Security Standards – small health plans. |
May 23, 2007 |
National Provider Identifier - all covered entities except small health plans |
May 23, 2008 |
National Provider Identifier - small health plans |
