HIPAA security rule now in its final form

Signature standard not included

Final security standards under the Health Insurance Portability and Accountability Act (HIPAA) for protecting patient health information when it is maintained or transmitted electronically have been adopted by the Department of Health and Human Services (HHS).

All "covered entities," which include health care providers, health plans, and health care clearinghouses, must comply with the rule, which was published in the Federal Register. It includes the following provisions:

  • All work force members, including management, must receive security awareness training.
  • Organizations must conduct risk analyses to determine information security risks and vulnerabilities.
  • Organizations must establish policies and procedures that allow access to electronic protected health information (PHI) on need-to-know basis.
  • Organizations must implement audit controls that record and examine who has logged into information systems that contain PHI.
  • Organizations must limit physical access to facilities that contain electronic PHI.
  • Organizations must establish and enforce sanctions against members of the work force who don’t follow information security policies and procedures.

The electronic signature standard, a component of the proposed rule, was removed from the final version, which was published in the Feb. 20, 2003, Federal Register. HHS has said it will publish that standard in a separate final rule, but did not say when. Some security experts have said the rule, while well integrated with the HIPAA privacy rule, lacks specific guidance in some critical areas, such as the requirement that encryption be used "only when deemed appropriate."

John Christiansen, JD, an attorney with Preston Gates in Seattle, has said the HHS accomplished one of its goals, which was to integrate the security rule with the privacy rule. He said many redundancies had been eliminated, in addition to some unclear concepts and rules.

HHS writes in the rule’s preamble that the regulations are consistent with "generally accepted security principles."

The regulations will become enforceable for most covered entities, including hospitals, on April 21, 2005. Small health plans will have an additional year to comply. To view the final rule, go to www.access.gpo.gov.