HIPAA.com

Access Control: Automatic Logoff-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Technical Safeguard Standard, Access Control. This implementation specification is addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do Implement…

Ed JonesHIPAA Law2009, 2010, access control, addressable, American Recovery and Reinvestment Act, ARRA, automatic logoff, business associate, covered entity, electronic information system devices, February 17, handheld device, HIPAA Administrative Simplification, HIPAA Security Rule, HITECH Act, implementation specification, logoff, password, President Obama, Risk Analysis, screensaver, software vendor, standard, Technical Safeguard, timeout, unauthorized usersLeave a comment

President Obama’s Council of Economic Advisers Outlines Economic Case for Health Care Reform

The Council of Economic Advisers in the Executive Office of the President published on Tuesday, June 2, 2009, The Economic Case for Health Care Reform. We provide an excerpt from the beginning of the Executive Summary that highlights “large economic impacts” of health care reform, and the report’s conclusion (Section VII on pp. 38-39) that highlights that the current “American health care system is on an unsustainable path.” Excerpt from Executive Summary The Council of Economic Advisers (CEA) has undertaken a comprehensive analysis of the economic impacts of health care reform. The report provides an overview of current economic impacts of health care in the United States and a forecast…

Ed JonesAmerican Recovery and Reinvestment ActCouncil of Economic Advisers, Federal budget deficit, GDP, gross domestic product, Health Care Reform, health insurance, job mobility, labor supply, unsustainableLeave a comment

Access Control: Emergency Access Procedure-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Technical Safeguard Standard, Access Control. This implementation specification is required. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do Establish and implement as needed procedures for obtaining necessary electronic protected health information during an emergency. How to Do It Emergency access refers to loss of…

Ed JonesHIPAA Law2009, 2010, access control, alarm procedures, American Recovery and Reinvestment Act, ARRA, business associate, contingency operations, covered entity, electronic protected health information, emergency access procedure, Facility Access, February 17, fire, HIPAA Administrative Simplification, HIPAA Security Rule, HITECH Act, implementation specification, natural disaster, physical safeguard standard, President Obama, required, Risk Analysis, Security Official, special audit log, special user password, standard, system failure, Technical Safeguard, terrorism, vandalism, vendor, workforce memberLeave a comment

Access Control: Unique User Identification-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Technical Safeguard Standard, Access Control. This implementation specification is required. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do Assign a unique name and/or number for identifying and tracking user identity. How to Do It The covered entity should establish a policy whereby its Security…

Ed JonesHIPAA Law2009, 2010, access control, ACL, alphanumeric, American Recovery and Reinvestment Act, ARRA, business associate, covered entity, February 17, HIPAA Administrative Simplification, HIPAA Security Rule, HITECH Act, implementation specification, password, President Obama, RBAC, required, Risk Analysis, Security Official, standard, Technical Safeguard, UBAC, unique user identification, username, vendor, workforce memberLeave a comment

Access Control: What This HIPAA Security Rule Technical Safeguard Standard Means

This is the first Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has four implementation specifications: unique user identification; emergency access procedure; automatic logoff; and encryption and decryption. The first two are required; the last two are addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment…

Ed JonesHIPAA Law2009, 2010, access control, access rights, ACL, addressable, Administrative Safeguard Standard, American Recovery and Reinvestment Act, ARRA, automatic logoff, business associate, CBAC, covered entity, decryption, electronic protected health information, emergency access, encryption, February 17, HIPAA Administrative Simplification, HIPAA Security Rule, HITECH Act, implementation specification, Information Access Management, National Institute of Standards and Technology, NIST, policies and procedures, President Obama, RBAC, reasonable and appropriate, required, Security Official, standard, Technical Safeguard, UBAC, unique user identification, workforce memberLeave a comment

Technical Safeguard Standards of the HIPAA Administrative Simplification Security Rule

There are five technical safeguard standards: access control, audit controls, integrity, person or entity authentication, and transmission security. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. Technical…

Ed JonesHIPAA Law2009, 2010, access control, addressable, Administrative Safeguard, American Recovery and Reinvestment Act, application server, ARRA, audit controls, business associate, covered entity, data management system, database server, electronic protected health information, encryption, entity authentication, February 17, Federal Register, guidance, HHS, HIPAA Administrative Simplification, HITECH Act, implementation specification, laptop, person authentication, physical safeguard, President Obama, required, Security Rule, Technical safeguard standards, transmission security, workforce, workstationLeave a comment

ARRA Stimulus Funds

On Thursday, May 28, 2009, the Office of the National Coordinator released guidance on the new Health IT Regional Extension Centers (HITRC). Section 3012 of the Public Health Service Act (PHSA), as added by the HITECH Act, authorizes a Health Information Technology Extension Program to make assistance available to all providers, but with priority access to Health IT for the uninsured, underinsured, historically underserved and other special-needs populations, and use of that technology to achieve reduction in health disparities. The major focus for the Centers’ work with most of the providers that they serve will be to help to select and successfully implement certified electronic health records (EHRs). Assistance is…

Carolyn HartleyAmerican Recovery and Reinvestment ActARRA, health IT, HITECH, Implementation Expertise, Regional Extension CentersLeave a comment

Word of the Day: Data Storage

Data Storage: Computer storage is the holding of data in an electromagnetic form for access by a computer processor. Primary storage are data in random access memory (RAM) and other “built-in” devices. Secondary storage are data on hard disk, tapes, and other external devices.

Carolyn HartleyHealth IT and HITECHdata, RAM, storage, word of the dayLeave a comment

Physical Safeguard Standard, Device and Media Controls: Data Backup and Storage Implementation Specification-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard. Data Backup and Storage is the fourth and last of four implementation specifications, and it is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act…

Ed JonesHIPAA Law2009, 2010, addressable, American Recovery and Reinvestment Act, ARRA, business associates, contingency, covered entity, data backup and storage, device and media controls, disaster recovery, electronic hardware, electronic media, electronic protected health information, February 17, HITECH Act, implementation specification, physical facility, physical safeguard standard, President Obama, Security Official, Security RuleLeave a comment

Physical Safeguard Standard, Device and Media Controls: Accountability Implementation Specification-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard. Accountability is the third of four implementation specifications, and it is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama…

Ed JonesHIPAA Law2009, 2010, accountability, addressable, American Recovery and Reinvestment Act, ARRA, business associates, covered entity, device and media controls, February 17, HITECH Act, implementation specification, physical facility, physical safeguard standard, President Obama, Risk Analysis, secure offsite location, Security Rule, systematic tracking., written documentation, written inventoryLeave a comment