Thousands of US health-care organizations have been waiting for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to be finalized. First proposed nearly five
What: The rule applies to electronic protected health information (EPHI), which is individually identifiable health information in electronic form.
Covered Entities (CEs) must
How: CEs must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI.
The basic purpose of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored,
When: The final Security Rule will be effective as of April 21, 2003. Most CEs will have until April 21, 2005 to comply; small health plans (those with annual receipts of $5 million or less) will have until April 21, 2006.
Unlike other security best practices or standards, the HIPAA Security Rule is federal law. There are clear, defined consequences in the event of infringement; CEs who
There are several principles upon which the final Security Rule is based:
Scalability. All sizes of healthcare entities must be able to comply with the rule.
Comprehensiveness. The rule is meant to result in a unified system of protection for EPHI. CEs must use a defense in depth security approach.
Technology neutral. The rule contains no specific technology recommendations (e.g., specific type of firewall, IDS, access control system). Each CE must choose the appropriate technology to protect its EPHI.
Internal and external security threats. CEs must protect EPHI against both internal and external threats.
Minimum standard. The Security Rule defines the least that CEs must do to protect EPHI. They may choose to do more.
Risk analysis, (the cost of a security measure vs. the cost of not having the measure). The Security Rule requires CEs to conduct a thorough and accurate risk analysis that considers 'all relevant losses' that would be expected if specific security measures are not in place. 'Relevant losses' include losses caused by unauthorized use and disclosure of data and unauthorized modification of data.
The Security Rule has several key concepts:
The Security Rule
Reasonableness. CEs must do everything that is appropriate to avert all reasonably anticipated risks to their EPHI. They must balance their resources and business requirements against the risks to EPHI.
Full compliance. All CE staff, including management and those who work at home, must comply with the Security Rule.
Developed from multiple security guidelines and standards.
Documentation. CEs must document a variety of security processes, policies, and procedures. They must also document Security Rule implementation decisions.
CEs must regularly train