The Security Rule was finalized on February 20, 2003, and includes some significant changes from the proposed rule. It has been simplified, and key sections were removed, such as that dealing with electronic signatures. In addition, some of the implementation speficications (technical requirements) have been designated as 'Addressable' - meaning that covered entities have additional latitude to select and implement specific technology solutions, based on whether the requirement is 'reasonable' and 'appropriate' given the size of their organization and operations.
HIPAA Security regulations
The federal regulations have been revised. You can find the revised regulations here, as well as the original documents. We are also have the Proposed Rule, as we have found it useful - it contains detail that the revised regulations do not have, with regard to specifications.
HIPAA Security requirements
All health plans, clearinghouses and healthcare providers who submit transactions electronically must comply with HIPAA Security requirements. Covered entities have already seen some security requirements in the Privacy Rule. Privacy required the implementation of Reasonable Safeguards for protected health information, such as controlling access to where information is stored and processed. The Security Rule introduces requirements to protect electronic protected health information (ePHI), and requires safeguards in the following three categories:
Administrative Safeguards – policies and procedures to control access to electronic protected health information and ensure business continuity in case of disaster or emergency
Physical Safeguards – policies, procedures and measures to control physical access to electronic protected health information
Technical Safeguards – policies, procedures and mechanisms to control access to electronic protected health information and ensure the integrity of data
- Policies and procedures must be updated to reflect privacy requirements
- Business Associate agreements must be signed
- A Security Official must be identified
- Compliance must be documented
- Staff must be trained
Many covered entities, especially providers and small health plans, will need to depend on vendors to comply with Security requirements. There is a variety of technology vendors in the healthcare industry, from software vendors, to computer and network hardware and service companies, to specialized security companies. As with Transactions requirements, covered entities will need to exercise their own ‘due diligence’ in making sure that their existing vendor(s) have the necessary background and expertise to implement HIPAA Security, or in selecting a new vendor.