Articles page   HIPAA page  

Update on HIPAA ...
New Data Security Compliance Requirement due by April 2005

Dear Editor,


I’m confused.  I understand that the Health Insurance Portability and Accountability Act (HIPAA) required our protecting patient privacy as of last April 2003.  But what is this other area, Data Security, all about?  Is it the same or different?  We just finished with complying with one aspect of HIPAA.  Do we really have to comply with another aspect of HIPAA?  Thank you.


Sincerely,
 
Confused
 

Dear Confused,


Sorry to have to break the news to you, but HIPAA privacy and HIPAA data security are entirely different legislative areas that must be complied with.  There is, however, some overlap between the two which translates into a little less work than when you had to start from scratch with HIPAA privacy.

As you recall, the HIPAA patient privacy rule established standards to protect the privacy of individually identifiable health information that is maintained or transmitted in connection with certain administrative and financial transactions.  It applies to covered entities – health plans, health care clearinghouses, and certain health care providers.  The privacy rule sets standards with respect to the rights of individuals to their health information, procedures for exercising those rights, and the authorized and required uses and disclosures of such information.

The privacy rule helps to define what information needs to be protected and who, in a health care setting, is authorized to access the protected health information.  It also  delineates individuals’ rights to control and access their own protected information.

The HIPAA security rule imposes standards for the security of electronic protected health information used by covered entities.  Covered entities must use the security rule to develop and maintain the security of all electronic protected health information.  Security includes both information technology systems and operational processes.

In order to protect our patients’ confidential information, the security rule requires adopting and/or updating polices procedures and systems as well as training employees and installing access controls.  Our primary goal with the security rule is to provide confidentiality, integrity and availability of electronic protected health information.

HIPAA data security compliance was required by April 20, 2005.  Please be aware that while there is some overlap with the HIPAA privacy rule, the data security component requires its own policies and procedures, as well as its own training agenda for employees and business associates.

Editor


Note:  We are happy to answer any questions you have regarding health care legal issues.  Of course all requests for information shall remain anonymous.  All letters are published for educational purposes only.  Legal advice and opinion can only be provided for upon individual consultation.

For more information, please Call or E-mail


Articles page   HIPAA page   top of this article