|
Information Access Management: Access Establishment and Modification-What to Do and How to Do ItIn our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we have noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. |
|
|
Effective Dates for Modified HIPAA Administrative Simplification Transaction and Code Set Rules Coming in MarchIn less than three weeks, HIPAA Version 5010/D.0 transaction and ICD-10 code set rules become effective, and the clock starts running on testing in preparation for compliance several years hence. Next Monday, March 2, 2009, HIPAA.com will outline Level 1 testing requirements and opportunities for the 5010/D.0 transaction rule, and on Tuesday, March 3, 2009, outline testing requirements for ICD-10. Sign up for HIPAA.com email reminders for these and other HIPAA Administrative Simplification standards postings, as well as postings relating to the new Health Information Technology for Economic and Clinical Health Act and Medicare and Medicaid Health Information Technology (”HITECH Act”) provisions of the American Recovery and Reinvestment Act (”ARRA”) signed by President Obama on February 17, 2009. |
|
|
Information Access Management: Access Authorization-What to Do and How to Do ItIn our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we have noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. |
|
|
Information Access Management: Isolating Healthcare Clearinghouse Functions-What to Do and How to Do ItIn our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is required. If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Remember, a clearinghouse is defined as a covered entity, but also can serve in the role of a business associate to other covered entities, namely a health plan or healthcare provider. |
|
|
Information Access Management-What This HIPAA Security Rule Administrative Safeguard Standard MeansThis is the fourth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has three implementation specifications: Isolating Healthcare Clearinghouse Functions; Access Authorization; and Access Establishment and Modification. The first is required; the second and third are addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. |
|
|
Security Management Process: Information System Activity Review-What to Do and How to Do ItIn our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required. Size of the covered entity and complexity of the business operation will be key considerations in the risk analysis and in fulfilling the requirements of this implementation specification. |
|
|
Security Management Process: Sanction Policy-What to Do and How to Do ItIn our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required. The covered entity must determine appropriate internal sanctions or penalties for violation of its security policies and procedures by workforce members. |
|
|
Security Management Process: Risk Management-What to Do and How to Do ItIn our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required. This implementation specification requires the covered entity to develop and implement a plan to manage risks that it identified in its Risk Analysis. The risk management plan will provide the foundation for implementation of the covered entity’s security policies and procedures. In preparing the plan, the covered entity may take into consideration the following factors under the “flexibility of approach” general rule that underpins the Security Rule. |
Syndicate this site
Sign up for email updates
Follow HIPAA.com on Twitter
