HHS publishes HIPAA security rules

Centers for Medicare and Medicaid Services on HIPAA

The Department of Health and Human Services on Feb. 20 published the long-awaited final rule on security standards to safeguard the "confidentiality, integrity and availability" of electronic information used in the health care industry.

As part of the federal Health Insurance Portability and Accountability Act (HIPAA), the 289-page rule requires public and private health plans, including Medicaid and Medicare, health care clearinghouses, and providers to implement administrative, physical and technical security mechanisms to protect private patient data.

The security rule will work with the privacy rule adopted by HHS last year. Many health providers and entities must comply with the privacy standards by April 14.

As for the new security rule, most entities must comply by April 15, 2005, but organizations with fewer than 50 people have an additional year to comply.

It took more than four and a half years for a final security rule to be adopted. It received about 2,350 public comments during that time.

Enacted in 1996, HIPAA was designed to make health insurance more transferable and accountable by standardizing electronic codes and transactions. It is intended to make it easier for doctors, hospitals and other providers to process claims and other transactions electronically.

Marne Gordan, director of regulatory affairs at TruSecure Corp., has been studying HIPAA for the past three years and said there's good news and bad news regarding final adoption. Organizations that haven't invested in security can now budget appropriately. But it's also "pretty risky behavior" if they haven't implemented some security safeguards, she said.

She said that there is a lot of room for interpretation in how to achieve compliance with the privacy and security guidelines. "HHS is [essentially] saying, you can achieve compliance any way you want, just as long as you get there," she said.

The published rule does not dictate specific solutions that would be usable by all the affected entities because they are "so varied in terms of installed technology, size, resources and relative risk." The rule further noted that "many commenters also supported the concept of technological neutrality, which would afford [affected entities] the flexibility to select appropriate technology solutions and to adopt new technology over time."

Gordan said that while most larger public and private health care organizations are better equipped and have more resources to deal with HIPAA rules and achieve compliance, it's the smaller to midsize groups that may require the most guidance and help.