The deadline for small plans to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security standards is April 21. The security standards are a corollary to the HIPAA Privacy Rule, which created national standards to protect individuals' medical records and other personal health information and give to patients more control over their health information.
For a Limited Time receive a
FREE HR Report "Top 10 Best Practices in HR Management." This comprehensive special report will give you the information you need to know about these current HR challenges and how to most effectively manage them in your workplace.
Download NowThe Privacy Rule, which became effective in 2004, provides that, in general, a covered entity may not use or disclose an individual's protected health information (PHI) without specific authorization except for treatment, payment, or healthcare operations. The rule provides individuals with the right to access and amend their PHI. It generally limits the release of PHI to the minimum reasonably needed for the purpose of the disclosure.
HIPAA's security standards specify a series of administrative, technical, and physical security procedures for covered entities to use to ensure the confidentiality, integrity, and availability of PHI in electronic format. The security standards for all but small plans had to be in place by April 25, 2005 . Small plans have until April 21, 2006, to comply. A small health plan is defined as a plan with annual receipts of $5 million or less. (Group health plans with fewer than 50 participants and that are administered by the employer are exempt from the HIPAA privacy, electronic transaction, and security standards.)
The standards require covered entities to implement basic safeguards to protect electronic PHI from unauthorized access, alteration, deletion, and transmission. The various standards may have either required or addressable implementation specifications.
If an implementation specification is described as "required," the specification must be implemented. The concept of "addressable implementation specifications" was developed to provide covered entities additional flexibility with respect to compliance with the security standards. A covered entity will have to decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. This decision will depend on a variety of factors, such as the entity's risk analysis, risk mitigation strategy, security measures already in place, and the cost of implementation. For more information on how to comply with the security standards, including a list of required and addressable implementation specifications, see Health Information Privacy (HIPAA) .