|
Current Articles
|
The third significant component of the HIPAA administrative simplification requirements, applicable to health plans as covered entities, will take effect April 21, 2005 for large plans; small plans with fewer than $5 million in premiums have until April, 2006 to comply. The first two legs of the administrative simplification stool were the privacy rules and the electronic data interchange rules. The HIPAA security rules specifically apply to electronic protected health information (e-PHI). For purposes of these rules, protected health information generally has the same meaning as it does under the HIPAA privacy rules, i.e., PHI is any individually identifiable medical information that:
 |
Is created or received by a covered entity; |
|
Relates to an individual's physical or mental condition, the provision of health care services to such individual, or the payment for such health care services; or |
|
Identifies the individual, or creates a reasonable basis to believe that such information could be used to identify the individual. |
e-PHI is any PHI that is created, received, maintained, or transmitted electronically, such as through the internet, CD, magnetic tape, etc. It generally does not apply to paper faxes or voice-to-voice response system, though, it would apply to computer-based faxes or computer based automated voice systems. In summary, the HIPAA security rules require that administrative, physical, and technical safeguards be established to ensure the security of such information.
|
Administrative safeguards are functions implemented to meet the standards, such as appointing a security officer, or providing security training. |
|
Physical safeguards ensure the protection of the physical system and equipment that maintains the information from such events as natural disasters or unauthorized intrusions. Examples of physical safeguards include restricting access to e-PHI, or retaining off-site computer backups. |
|
Technical safeguards ensure protection of the information and its transmittal, such as through encryption, etc. |
The security rules set out two types of standards. They are: mandatory standards (those that must be followed), and addressable standards. Addressable standards are those that either:
|
1. |
Need to be complied with specifically, or, |
|
2. |
An analysis must be undertaken and documented to show how the addressable standards can either be satisfied by an alternative means to ensure compliance, or need not be complied with, given the facts and circumstances of a particular situation. |
What should covered entities, including employers on behalf of their plans, be doing now?
|
1. |
Appoint a security officer. This individual may also be the privacy officer. |
|
2. |
Identify all plans subject to the HIPAA administrative simplification rules, and specifically, those that maintain e-PHI. |
|
3. |
Analyze and document all types of e-PHI maintained by the plan. Assess potential risk to e-PHI. |
|
4. |
Review and assess security measures in light of the mandatory and addressable standards, and the particular needs of your organization. |
|
5. |
Develop and implement policies and procedures to ensure the protection of e-PHI. |
|
6. |
Identify and train all employees who have access to e-PHI. |
|
7. |
Amend business associate agreements and plan documents to ensure protection of e-PHI. |
Many of these tasks could have already been accomplished through the efforts to ensure compliance with the HIPAA privacy rules. Most of the analyses should result in assurances that the security rules are being complied with, or that certain changes need to be made, given the unique nature of electronic information.
 
top of page
|
