Contingency Plan: Data Backup-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. How to Do It Covered entities must backup electronic protected health information on a regular basis. When a computer system fails, it may…

READ MORE

Contingency Plan: Sample Policy and Procedures

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has five implementation specifications: Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis. The first three are required; the last two are addressable. Addressable does not mean optional. Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. HIPAA.com will outline What to do and How to do it for each…

READ MORE

Contingency Plan-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  It has five implementation specifications:  Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis.  The first three are required; the last two are addressable.  Addressable does not mean optional.  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. If a fire swept through a covered entity’s facility, the covered entity would…

READ MORE

What should you expect from your HIPAA Security Official?

HIPAA’s Security Rule requires covered entities to designate one person to be responsible for the development and implementation of policies and procedures that safeguard electronic protected health information. Nearly all organizations implemented measures to manage privacy in oral, written, and electronic media. However, as healthcare organizations and their business associates, inspired by the HITECH Act (stimulus package) respond to forthcoming financial incentives to adopt electronic health record (EHR) software, the need to beef up your security measures. So what should you look for in your Security Official? For starters, you need someone who understands clinical and billing workflows, recognizes that in the past some clinicians have communicated with patients via…

READ MORE

Final Security Rule

DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160, 162, and 164 | [CMS–0049–F] | RIN 0938–AI57 Health Insurance Reform: Security Standards AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS. ACTION: Final rule. Download (Requires Acrobat Reader)