Question: What are the deadlines for compliance with the HIPAA security rule?

Answer: For all covered entities, other than small health plans, the compliance deadline is April 20, 2005, says Robert W. Markette Jr., an Indianapolis attorney. "Contrary to a popular rumor, there is not an exception for small health care providers," he says.

Question: What happens to noncompliant providers on April 20, 2005?

Answer: "At least for the near future, CMS [the Centers for Medicare & Medicaid Services] is sticking to its stated policy of assisting noncompliant providers to become compliant, rather than imposing large fines," Markette says.

However, the possibility of leniency from CMS should not lead you to feel complacent about security rule compliance, he notes. "You should make every effort to be in compliance or be well on your way to compliance, because CMS is far more likely to be lenient if it can see documentation of the efforts you are making to comply, how far along you are, and how far you have left to go," notes Markette. "In the event of a complaint, a CMS investigator will not be interested to hear that you have read the rule, but have done little else."

In addition to potential penalties from the government, there are other possible consequences of a HIPAA violation that fall outside of federal jurisdiction, he says. For instance, it’s possible for HIPAA violations to become the basis for civil lawsuits, Markette adds. "Providers who are subject to state licensure surveys may also encounter a state surveyor who erroneously cites a covered entity for a HIPAA violation," he says. "This could affect a provider’s license even without a violation."

Finally, a HIPAA violation presents the potential for negative publicity, Markette says. "With the current focus in America on individual privacy, a provider who is found to have violated the HIPAA security rule may be perceived as insensitive to the concerns of patient privacy," he explains. This perception could have a negative effect on patient confidence and, therefore, business, he adds.

Question: Where should I start when putting together my compliance plan?

Answer: First, appoint a security officer, says Markette. The HIPAA security rule, like the privacy rule, requires the covered entity to designate someone as responsible for the entity’s compliance with the HIPAA security regulation, he explains. This person is known as the security officer. "The security officer does not need to be an information security expert or hold any special certifications, but the person should be familiar with the HIPAA privacy and security rules and be able to manage a project and complete it in a timely fashion," Markette adds. "Larger organizations should consider a security compliance team to assist the security officer."

The security rule allows this kind of assistance, but the security officer retains responsibility for your organization’s compliance efforts, he says. "The team should include managers from each department or persons designated by the managers," he notes. It is important the team remembers that the security officer retains final control, and the security officer should be able to put pressure on the team to meet deadlines, Markette adds.

Next, the security officer must familiarize himself or herself with the security rule, he notes. "A good place to start is the rule itself, and the CMS web site [] provides a number of resources including CMS’ recently published overview of the security rule — Security 101 for Covered Entities," he says.

Reading the rule serves two purposes, notes Markette. "You will learn the more specific requirements of the rule as set forth in the 19 standards and 36 implementation specifications, and you also will see that you already have implemented a number of the rule’s requirements as you implemented programs to comply with the privacy rule," he adds.


For more information on the security rule, contact:

  • Robert W. Markette Jr., Attorney at Law, Gilliland & Caudill, 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (800) 894-1243 or (317) 704-2400. Fax: (317) 704-2410. E-mail: