Tag: 2009

Physical Safeguard Standard, Device and Media Controls: Accountability Implementation Specification-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard.  Accountability is the third of four implementation specifications, and it is addressable.  Remember, addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama…

READ MORE

Physical Safeguard Standard, Device and Media Controls: Medi Re-use Implementation Specification-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard.  Media Re-use is the second of four implementation specifications, and it is required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do A covered entity must implement procedures for removal of electronic protected health information from electronic media before the…

READ MORE

Physical Safeguard Standard, Device and Media Controls: Disposal Implementation Specification-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard.  Disposal is the first of four implementation specifications, and it is required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do A covered entity must implement policies and procedures to address the final disposition of electronic protected health information and…

READ MORE

Device and Media Controls: What This HIPAA Security Rule Physical Safeguard Standard Means

This is the fourth and last Physical Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  It has four implementation specifications:  disposal, media re-use, accountability, and data backup and storage.  The first two are required; the last two are addressable.  Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act…

READ MORE

Physical Safeguard Standard, Workstation Security-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third Physical Safeguard Standard, Workstation Security.  The implementation specification for this standard is defined by the standard title, and is required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do A covered entity must implement physical safeguards for all workstations that access electronic protected health information to restrict access…

READ MORE

Physical Safeguard Standard, Workstation Use-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, Workstation Use is the second Physical Safeguard Standard.  There is no defined implementation specification for this standard.  Implementation of policies and procedures pertaining to this standard are required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What is Required A covered entity must implement policies and procedures that specify the proper functions to be…

READ MORE

HHS appoints members to HIT Policy and Standards Committee

On Friday, May 8, 2009, the U.S. Department of Health and Human Services (HHS) announced appointments to the Health Information Technology (HIT) Policy Committee and HIT Standards Committee. These federal advisory committees were established by provisions in the American Recovery and Reinvestment Act (ARRA) that President Obama signed on February 17, 2009. Today, is the first meeting of the HIT Policy Committee, and Friday, May 15, 2009, is the first scheduled meeting of the HIT Standards Committee, both in Washington, DC. According to the press release issued by HHS, “[t]he HIT Policy Committee will make recommendations to the National Coordinator for Health Information Technology [Dr. David Blumenthal] on a policy…

READ MORE

FTC Delays Identity Theft Prevention Red Flags Rule for Second Time

The Federal Trade Commission announced a second delay on Friday, May 1, 2009, for compliance with the identity theft prevention red flags rule. The delay is for three months, with compliance now scheduled for August 1, 2009. Entities affected are creditors and financial institutions. Healthcare providers that extend delayed payment plans to patients are deemed “creditors” under the red flags rule. This delay was to give affected entities more time to develop and implement written identity theft prevention policies and procedures for compliance with the rule, which is based on enabling regulations of provisions in the Fair and Accurate Credit Transactions Act of 2003. You can visit the FTC website…

READ MORE