Enterprise Software

HHS publishes final rule for HIPAA Security Standards

HIPAA is making headlines again with final rulings on security and modifications to the EDI transaction standards that communicate healthcare information. Check out what CIOs should be aware of to comply with this new ruling.


The Department of Health and Human Services (HHS) recently gained the spotlight again with two significant Health Insurance Portability and Accountability Act (HIPAA) announcements. First, after four years and more than 2,300 public comments, the final rule for HIPAA Security Standards was published in the Feb. 20, 2003, Federal Register. The new rules took effect on April 21, 2003, with the deadline for compliance for most covered entities two years later on April 21, 2005. Also published in the Feb. 20 Federal Register were several modifications to the EDI transaction standards used by healthcare entities to electronically communicate healthcare information.

The final rule for security
The published security rule (45 CFR Parts 160, 162, and 164) includes modifications to the proposed rules first published in August 1998. The proposed rules focused on three concepts derived from the Administrative Simplification language included within HIPAA:
  • The standard should be comprehensive and coordinated to cover all aspects of security.
  • It should be scalable so that all covered entities, regardless of size, can implement it.
  • It should remain technology-neutral, allowing for the adoption and application of future technologies.

The goal of the 1998 proposed rule was to establish a minimal set of standards for the safeguarding of healthcare information. While the final rule adheres to this goal, it also incorporates numerous clarifications and changes in response to substantial public input.

One example of such clarification is the intended coverage of the rule. In the earlier version, you could interpret the rule to cover nonelectronic health information. The final rule restates this to clearly identify coverage to encompass electronically stored or communicated health information. A second example is in the area of certification. The proposed rule suggested that covered entities must certify their systems as HIPAA-compliant. The final rule allows self-regulation by the entities to ensure their systems comply.

Under the final rule, healthcare providers, health insurers, and healthcare clearinghouses must establish procedures to ensure the protection, confidentiality, integrity, and availability of healthcare information. To comply, the final rule requires the establishment of administrative, physical, and technical safeguards. I've outlined these requirements below.

Administrative safeguards
  • Security management: Create policies to prevent, detect, contain, and correct security violations.
  • Assigned security responsibility: Identify a security officer who's responsible for the development of and adherence to these standards.
  • Workforce security: Develop policies to regulate workforce access to covered information.
  • Information access management: Similar to workforce security, this focuses on applicable access to information.
  • Security awareness and training: Establish a security awareness training program for the workforce.
  • Security incident procedures: Establish formal procedures to respond to security incidents.
  • Contingency plans: Create plans for the response to emergencies affecting systems with private health information.
  • Evaluation: Conduct periodic reviews of systems for compliance.
  • Business associates, contracts, and other agreements: Verify that contracts provide satisfactory coverage.

Physical safeguards
  • Facility access controls: Develop policies to limit physical access to systems containing protected health information.
  • Workstation use: Create policies regarding the appropriate use of organizations' workstations.
  • Workstation security: Establish policies for securing organizations' workstations.
  • Device and media controls: Create policies covering the use and reuse of storage or other media containing protected health information.

Technical safeguards
  • Access control: Develop policies to limit access to information systems housing electronic data.
  • Audit controls: Implement systems to record and audit access to protected health information within information systems.
  • Integrity: Implement polices and safeguards to prevent the inappropriate modification of protected health information.
  • Person or entity authentication: Implement techniques to verify that the persons requesting access are in fact who they say they are.
  • Transmission security: Implement techniques, such as encryption, to protect health information during electronic communication.

The security guidelines also include organizational requirements as well as documentation requirements.

This article was originally published as part of the TechRepublic IT Healthcare TechMail.

Editor's Picks