Tag: 2009

Evaluation-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the eighth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. Its implementation specification is embodied in the language of the standard itself, and it is required of covered entities.  Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010, as provided for in the HITECH Act provisions of the American Recovery and Reinvestment Act, signed by President Obama on February 17, 2009. What is Required Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of…

READ MORE

Contingency Plan: Applications and Data Criticality Analysis-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the fifth implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is addressable.  Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Assess the relative criticality of specific applications and data in support of other…

READ MORE

Contingency Plan: Testing and Revision Procedures-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Implement procedures for periodic testing and revision of contingency plans. How to Do…

READ MORE

Contingency Plan: Emergency Mode Operation Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in the emergency mode. How to Do It Covered entities are required to develop…

READ MORE

Contingency Plan: Disaster Recovery Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish (and implement as needed) procedures to restore any loss of data. How to Do It The content and procedures of a covered entity’s disaster recovery plan will be » Outcomes of the covered entity’s identification of vulnerabilities and…

READ MORE

Direct Data Entry-No Change in the 5010 Final Rule

In the August 17, 2000 Final Rule for Standards for Electronic Transactions, direct data entry was defined as “direct entry of data (for example, using dumb terminals or web browsers) that is immediately transmitted into a health plan’s computer.” [65 Federal Register 50367] An exception for direct data entry was articulated in the August 17, 2000, Final Rule: A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not…

READ MORE