Facility Access Controls: Facility Security Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. What…

READ MORE

Facility Access Controls: Contingency Operations-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. What…

READ MORE

Facility Access Controls: What This HIPAA Security Rule Physical Safeguard Standard Means

This is the first Physical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has four implementation specifications: contingency operations; facility security plan; access control and validation procedures; and maintenance records. Each of these implementation specifications is addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA,…

READ MORE

Physical Safeguard Standards of the HIPAA Administrative Simplification Security Rule

There are four physical safeguard standards: facility access controls, workstation use, workstation security, and device and media controls. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. Physical…

READ MORE

Evaluation-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the eighth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. Its implementation specification is embodied in the language of the standard itself, and it is required of covered entities.  Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010, as provided for in the HITECH Act provisions of the American Recovery and Reinvestment Act, signed by President Obama on February 17, 2009. What is Required Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of…

READ MORE

Pay attention to HITECH Act Definition of Breach: Lost Customers Big Cost Factor

The April 2009 issue of Baseline  magazine has an article by Corinne Bernstein entitled: “The Cost of Data Breaches,” which is available online at www.baselinemag.com. We recommended that covered entities and business associates review this article, based on a Ponemon Institute study of incidents and costs incurred at 43 organizations in 17 industry sectors. Here are several highlights: » “Lost business accounted for nearly 70 percent of a data breach in 2008. » “[S]ectors suffering the highest customer losses were health care…and financial services. » “The biggest cause of breaches…is insider negligence…88% of all cases in 2008. » “The number of breaches involving third-party organizations continues to climb.” The article…

READ MORE

Direct Data Entry-No Change in the 5010 Final Rule

In the August 17, 2000 Final Rule for Standards for Electronic Transactions, direct data entry was defined as “direct entry of data (for example, using dumb terminals or web browsers) that is immediately transmitted into a health plan’s computer.” [65 Federal Register 50367] An exception for direct data entry was articulated in the August 17, 2000, Final Rule: A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not…

READ MORE

Contingency Plan: Data Backup-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. How to Do It Covered entities must backup electronic protected health information on a regular basis. When a computer system fails, it may…

READ MORE

Contingency Plan-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  It has five implementation specifications:  Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis.  The first three are required; the last two are addressable.  Addressable does not mean optional.  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. If a fire swept through a covered entity’s facility, the covered entity would…

READ MORE