Tuesday afternoon the Senate passed the American Recovery and Reinvestment Act, the so-called Economic Stimulus bill. Previously, the House of Representatives passed its version, H.R. 1. Now, the joint House-Senate conference committee will resolve funding and language differences in the House and Senate versions of ARRA. As we have noted earlier, each of these versions contains incentives for adoption of health information technologies, which are described in the so-called HITECH provisions of the House and Senate versions. President Obama is expected to sign a reconciled bill in the near future, assuming that the Democrats in the Senate can achieve at least 60 votes in a procedural motion to move the bill to the floor of the Senate for a vote. Once signed into law, HIPAA.com will provide a detailed analysis of funding, language, and timeframe provisions of the reconciled HITECH provisions.
In the meantime, we know that health information policy and privacy/security provisions will be included in the final version of the ARRA legislation. Accordingly, we believe that now is a good time to think about reviewing your security plan for securing electronic protected health information. Remember, this applies to all covered entities, who are required to safeguard electronic protected health information under the HIPAA Administrative Simplification Security Rule, and electronic, oral, and written protected health information under the HIPAA Administrative Simplification Privacy Rule. The definition of covered entity in a final ARRA bill may extend the definition and responsibilities of a covered entity to business associates. So, to get started, the first task would be to review your risk management program. Start by reviewing the 2008 Revision of NIST Guide for Implementing HIPAA Security Rule available at HIPAA.com, and your written risk assessment analysis that is required of covered entities.
Risk management is the process of evaluating threats and vulnerabilities, and then designing a strategy for handling and mitigating those threats and vulnerabilities. The foundation of your security plan is based on conducting your risk assessment, and periodically reviewing and updating it.
Three principles provide the foundation for security of electronic health information:
» Integrity: information has not been altered or destroyed without proper authorization.
» Confidentiality: information is only available or disclosed to persons authorized to receive it.
» Availability: information is accessible and useable upon demand by authorized persons.
» Each of these principles underlie security in administrative, technical, and physical standards.