With the March 17, 2009 effective dates for the new 5010 Version of HIPAA Administrative Simplification Transaction Standards and the move to the ICD-10 Code Set Standard rules, and the expected enactment of the HITECH provisions of the American Recovery and Reinvestment Act as early as next week, it is a good time now to begin reviewing your HIPAA Administrative Simplification Security safeguards. As mentioned earlier this week, creating and periodically reviewing your risk assessment or analysis is the foundation of achieving compliance with the HIPAA Administrative Simplification Security Rule and a key factor in having a successful business. Over the next week, HIPAA.com will review the Security Rule administrative, technical, and physical standards, and provide advice on what to do and how to do it in order to ensure that you—as a covered entity—are in compliance with each standard’s implementation specifications.
As an overview of the Security Rule, here are ten key Security Rule attributes:
1. The Security Rule is a set of standards and implementation specifications with which covered entities must comply by federal law.
2. The Security Rule standards are always required for compliance, while implementation specifications can be required or addressable.
3. The Security Rule is scalable, taking into consideration size of covered entity, and flexible, taking into consideration structure of covered entity, costs of security measures, and probability and criticality of potential risks.
4. The Security Rule is reasonable, and permits the covered entity to implement security safeguards that are appropriate.
5. The Security Rule is founded on principles of availability, confidentiality, and integrity of a patient’s medical information in electronic form: electronic protected health information.
6. The Security Rule is technology neutral: a covered entity can choose its protection measures (inputs) as long as they achieve specified safeguard performance levels (outputs).
7. The Security Rule is based on risk assessment and risk mitigation, namely, a covered entity identifying its potential vulnerabilities and threats, and taking measures to avoid them.
8. The Security Rule is built on a foundation of safeguarding electronic protected health information, so maintaining availability of electricity is a key factor.
9. The Security Rule formalizes in policies and procedures many of the practices that a prudent business would use in the course of its operations.
10. The Security Rule is an investment in the future of a covered entity as a successful business.