HIPAA Regulatory Alert

Security rule guidance issued to covered entities

Entities covered under the HIPAA security rule are not required to certify compliance with provisions of the rule, according to guidance issued by the Centers for Medicare & Medicaid Services. The security rule does, however, require covered entities to periodically perform evaluations to establish the extent to which technological and nontechnological security policies and procedures meet the requirements, the agency says.

"The evaluation can be performed internally by the covered entity," the guidance says. "There are also external organizations that provide evaluations or certification services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that the Department of Health and Human Services does not endorse or otherwise recognize private organizations’ certifications, and such certifications do not absolve covered entities of their legal obligations under the security rule. Moreover, performance of a certification by an external organization does not preclude HHS [the Department of Health and Human Services] from subsequently finding a security violation."

Guidances also have been published on other areas of the security rule, addressing questions such as the difference between risk analysis and risk management, whether access control requirements cover remote employees (they do), and whether minimum operating system requirements are mandated for personal computers (not always).

(Check the guidances on the Frequently Asked Questions page of the Centers’ HIPAA administrative simplification web site at www.cms.hhs.gov/hipaa/hipaa2.)