Here Comes HIPAA Security

By Jay Masci

So you just finished your Privacy Rule compliance effort and are finalizing your Electronic Transaction and Code Set testing and now you hear rumors about the HIPAA Security Rule being finalized. Is it true? Yes. The Security Rule was finalized and published on February 20, and if you are a covered entity, you will have to comply with it. The good news is that the compliance date for the Security Rule is not until February 21, 2005.

So as an O&P organization, why worry about the Security Rule now? What are the basics that your organization has to do in order to meet this rule? And just what is being secured?

Over the next several months, I will provide you with facts, requirements and the steps to help you with your HIPAA Security compliance efforts. By starting your Security compliance efforts now, you can plan appropriately for the resources, training, and budget that will be needed to meet the Security requirements. So grab a folder, label it "Security," and file away a copy of The O&P EDGE every month.

Do You Have To Comply?

This is a simple determination. If you were required to comply with the Privacy Rule or Electronic Transactions and Code Sets Rule, you are a covered entity and will have to comply with the Security Rule also.

What Will Be Protected by the Security Rule?

Protected Health Information (PHI) that is transmitted or maintained electronically.

Electronic media includes electronic storage media such as memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as a magnetic tape or disk, optical disk or a digital memory card. It also includes transmission media used to exchange information such as the Internet, an extranet, leased lines, dial-up lines, private networks and the physical movement of the removable/transportable electronic storage media.

Electronic media does not include paper, fax, and voice via telephone.

General Requirements

An O&P organization that is a covered entity must do the following:

• Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains, or transmits;
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Security Rule; and
• Ensure compliance of the Security Rule by its workforce.

Required and Addressable Requirements

The Department of Health and Human Services (DHHS) allows the covered entity to be flexible in its approach to reasonably and appropriately put into effect the standards and implementation specifications. DHHS provides the flexibility by stating whether a Security Rule is "required" or "addressable."

Required Specifications

If the specification is "required," the covered entity must implement the specification as stated in the Security Rule.

Addressable Specifications

If the specification is "addressable," then the covered entity must:

1. Assess whether the specification is a reasonable and appropriate safeguard in its environment and is likely to contribute to protecting the entity's electronic protected health information, and
2. Implement the specification or document why it would not be reasonable and appropriate. Implement an equivalent alternative measure if reasonable and appropriate.

Next Article

In our next article we will look into the Security Rule and its "required" and "addressable" implementation specifications.

While all information is believed to be correct at the time of writing, this article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult with an attorney.

Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services including HIPAA compliance and customized training. Visit www.provaliant.com or contact Provaliant at 480.952.0656.

	HIPAA Security and the Organizational Safeguards - April 2004 DC Direct
	HIPAA Security and the Physical Safeguards - November 2003 DC Direct
	HIPAA Security and the Administrative Safeguards—Part 2 - October 2003 DC Direct
	HIPAA Security and the Administrative Safeguards—Part 1 - August 2003
	HIPAA and the Business Associate Puzzle - July 2003 Exclusively Online
	HIPAA Security – Required or Addressable - July 2003 DC Direct
	HIPAA: How to Handle a Vendor Selling HIPAA Services and Products - April 2003 So what do you say when sales representatives call to sell their company’s HIPAA services and products? DC Direct
	HIPAA Privacy: Are You Ready to Comply? - March 2003 Exclusively Online

Table Of Contents - May 2003

	Physiatry: The Medical Rehabilitation Specialty Physical medicine and rehabilitation (PM&R) "is often called the ‘quality-of-life' profession because its aim is to restore optimal patient functioning…" Feature
	O&P Research: A Question of Quality—or Quantity? Research requires three factors: expertise, time, and money.
	Academy Meeting Focuses on Best, Latest in O&P “Education is not the filling of a pail, but the lighting of a fire" Association Spotlight
	Children’s Prosthetic Systems Microprocessor Technology Opens the Door to Success
	Upper-Extremity Patient Care: Personal Visions Exclusively Online
	Project to Aid Scoliosis Patients in Developing Countries Global View
	Here Comes HIPAA Security DC Direct
	Youngster Enjoys His Favorite Sports Today's Consumer
	Pedorthics Program Helps Fulfill Teen’s Wish Stepping Out
	SMART Device Provides New-Found Freedom Innovations
	Jim Russ Honored at Roast & Toast
	Dale Perkins, CPO Profiles
	Neg Reg: We Have Met the Enemy, and It Is Us! Perspective
	From The Editor Viewpoints