This is the fourth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has three implementation specifications: Isolating Healthcare Clearinghouse Functions; Access Authorization; and Access Establishment and Modification. The first is required; the second and third are addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. The covered entity is…
Author: Ed Jones
Security Management Process: Information System Activity Review-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required. What to Do Implement procedures to regularly review records of information of system activity, such as audit logs, access reports, and security incident tracking reports. How to Do It Size of the covered entity and complexity of the business operation will be key considerations in the risk analysis and in fulfilling the requirements of this implementation specification. First, regularly review information system activity for inappropriate use or security incidents, such as unauthorized disclosure. Many computer systems now have built-in reporting functionality…
Security Management Process: Sanction Policy-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required. What to Do Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. How to Do It The covered entity must determine appropriate internal sanctions or penalties for violation of its security policies and procedures by workforce members. Sanctions should: » Deter noncompliant behavior, such as posting passwords on computer hardware or under a desk pad. » Serve as an incentive for compliance with security policies and procedures. The appropriate sanctions…
Security Management Process: Risk Management-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required. What to Do Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the security standard as outlined in 45 CFR 306(a). The general requirements are: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably…
ARRA’s HITECH Privacy Provisions Apply HIPAA Security Rule to Business Associates
President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA) on Tuesday, February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA in Title XIII include important changes in Privacy (Subtitle D). Our focus in this posting is the change related to business associates under HIPAA Administrative Simplification that is specified in Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities. In this section, administrative, physical, and technical safeguards, and policy, procedure, and documentation requirements of the HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the…
American Recovery and Reinvestment Act of 2009
ONE HUNDRED ELEVENTH CONGRESS of the UNITED STATES of AMERICA American Recovery and Reinvestment Act of 2009 Making supplemental appropriations for job preservation and creation, infrastructure investment, energy efficiency and science, assistance to the unemployed, and State and local fiscal stabilization, for the fiscal year ending September 30, 2009, and for other purposes. AGENCY: 111th US Congress. ACTION: Act. Download (Requires Acrobat Reader)
President Obama to Sign ARRA’s HITECH provisions Tuesday, February 17, 2009, in Denver, CO
The Senate joined the House on Friday evening, February 13, 2009, in passing the American Recovery and Reinvestment Act, which includes provisions relating to Health Information Technology. Title XIII of Division A and Title IV of Division B together are known as the “Health Information Technology for Economic and Clinical Health Act” or the “HITECH Act.” We will be highlighting attributes of the HITECH Act through the end of February. Contrary to the political blather, this legislation is a significant step forward in providing funding and incentives to accelerate adoption of standardized and interoperable electronic business and clinical technologies in healthcare and in strengthening privacy safeguards for patients’ protected health…
Security Management Process: Risk Analysis-What to Do and How to Do It
Security Management Process is the first administrative standard of the Security Rule, and Risk Analysis is the implementation specification. Each covered entity is required to conduct a risk analysis or assessment to determine vulnerabilities and threats and to identify and put in place risk mitigation measures for safeguarding electronic protected health information. Electronic protected health information is the content of the HIPAA Administrative Simplification Standard Transactions and of the expected growing adoption of clinically-based electronic health record systems. What to do: Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. How to…
Time to Review Your Security Risk Assessment
With the March 17, 2009 effective dates for the new 5010 Version of HIPAA Administrative Simplification Transaction Standards and the move to the ICD-10 Code Set Standard rules, and the expected enactment of the HITECH provisions of the American Recovery and Reinvestment Act as early as next week, it is a good time now to begin reviewing your HIPAA Administrative Simplification Security safeguards. As mentioned earlier this week, creating and periodically reviewing your risk assessment or analysis is the foundation of achieving compliance with the HIPAA Administrative Simplification Security Rule and a key factor in having a successful business. Over the next week, HIPAA.com will review the Security Rule administrative,…
House and Senate Agree on ARRA Provisions
On Wednesday, February 11, 2009, House and Senate conferees reconciled the House and Senate versions of the American Recovery and Reinvestment (ARRA) plan, or so-called Stimulus bill. The House and Senate are expected to approve the final version this week and send it to President Obama for his signature. The total of the stimulus is just over $789 billion. The Wall Street Journal reported this morning that “$19 billion is set aside for health information technology. Physicians would get bonuses of between $44,000 and $64,000—and hospitals would get as much as $11 million—if they show they have computerized their medical-records systems. On the stick side of the equation, the measure…