HHS publishes HIPAA security rules

Centers for Medicare and Medicaid Services on HIPAA

The Department of Health and Human Services on Feb. 20 published the long-awaited final rule on security standards to safeguard the "confidentiality, integrity and availability" of electronic information used in the health care industry.

As part of the federal Health Insurance Portability and Accountability Act (HIPAA), the 289-page rule requires public and private health plans, including Medicaid and Medicare, health care clearinghouses, and providers to implement administrative, physical and technical security mechanisms to protect private patient data.

The security rule will work with the privacy rule adopted by HHS last year. Many health providers and entities must comply with the privacy standards by April 14.

As for the new security rule, most entities must comply by April 15, 2005, but organizations with fewer than 50 people have an additional year to comply.

It took more than four and a half years for a final security rule to be adopted. It received about 2,350 public comments during that time.

Enacted in 1996, HIPAA was designed to make health insurance more transferable and accountable by standardizing electronic codes and transactions. It is intended to make it easier for doctors, hospitals and other providers to process claims and other transactions electronically.

Marne Gordan, director of regulatory affairs at TruSecure Corp., has been studying HIPAA for the past three years and said there's good news and bad news regarding final adoption. Organizations that haven't invested in security can now budget appropriately. But it's also "pretty risky behavior" if they haven't implemented some security safeguards, she said.

She said that there is a lot of room for interpretation in how to achieve compliance with the privacy and security guidelines. "HHS is [essentially] saying, you can achieve compliance any way you want, just as long as you get there," she said.

The published rule does not dictate specific solutions that would be usable by all the affected entities because they are "so varied in terms of installed technology, size, resources and relative risk." The rule further noted that "many commenters also supported the concept of technological neutrality, which would afford [affected entities] the flexibility to select appropriate technology solutions and to adopt new technology over time."

Gordan said that while most larger public and private health care organizations are better equipped and have more resources to deal with HIPAA rules and achieve compliance, it's the smaller to midsize groups that may require the most guidance and help.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.