Less than one month to go: Business Associates must comply with the HIPAA Security Rule no later than Wednesday, February 17, 2010. Here are relevant provisions from the American Recovery and Reinvestment Act, Public Law 111-5, which included HITECH Act Subtitle D: Privacy. 42 USC 17931 (PART 1–IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS, Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions). (a) APPLICATION OF SECURITY PROVISIONS.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered…
Tag: guidance
Three Key Properties of HIPAA Privacy and Security of Protected Health Information
HIPAA.com has received from its readers requests for information on topics related to HIPAA Administrative Simplification Privacy and Security Rules and to updates to those rules reflected in the HITECH Act provisions of the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009. Recently, HIPAA.com answered the question of particular interest to several readers: what exactly is protected health information (PHI)? In this posting, we answer the question: what are the fundamental properties that underlie privacy and security of protected health information? Three Key Properties The three key properties that underpin privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) are availability,…
HHS Issues Interim Final Rule for HITECH ‘Breach Notification’
U.S. Department of Health and Human Services Secretary, Kathleen Sebelius, has issued the Interim Final Rule for Breach Notification for Unsecured Protected Health Information. The Interim Final Rule was signed by Secretary Sebelius on August 6, 2009, filed at the Federal Register on Wednesday, August 19, 2009, and will be published on Monday, August 24, 2009, in the Federal Register. The effective date of the Interim Final Rule will be 30 days after publication, and will cover both covered entities and business associates of covered entities. Here is the Summary of the Interim Final Rule: “The Department of Health and Human Services (HHS) is issuing this interim final rule with…
Transmission Security Encryption: What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the second of two implementation specifications for the Technical Safeguard Standard, Transmission Security. This implementation specification is addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to…
Access Control: Encryption and Decryption-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Technical Safeguard Standard, Access Control. This implementation specification is addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do Implement…
Technical Safeguard Standards of the HIPAA Administrative Simplification Security Rule
There are five technical safeguard standards: access control, audit controls, integrity, person or entity authentication, and transmission security. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. Technical…
Privacy and Security Framework: Introduction
U.S. Department of Health and Human Services, Office for Civil Rights Download (Requires Acrobat Reader)