• About Health Care: HIPAA
  • June 19, 2003
  • Law Firm: McGlinchey Stafford, PLLC - New Orleans Office
  • The Department of Health and Human Services' long-awaited final security rule under the Health Insurance Portability and Accountability Act (HIPAA) was published in the February 20, 2003 Federal Register. Covered entities have two years, until April 20, 2005, to comply with the rule, except small health plans have an additional year to comply. Copies of the rule can be viewed at http://www.cms.hhs.gov/hipaa/hipaa2/default.asp. Under the security standards, health care insurers, certain health care providers, and health care clearinghouses must establish policies and procedures to protect the confidentiality, integrity, and availability of electronic protected health information. Computers, magnetic tape, digital memory cards, the web, and extranets that contain protected health information are covered by the rule. A facsimile is not. The security standards are separate from the privacy rule, however both rules work in concert.

    The new security rule requires administrative safeguards, such as a sanction policy to apply to employees who fail to comply with the security policies; physical safeguards, such as workstation usage; and technical safeguards, such as proof of the identity of the person who is seeking access to protected health information. In addition, the rule eliminates the proposed chain of trust agreement (between handlers of patient data as it moves through the healthcare system) and adopts the standards of the business associate agreements required by the privacy rule for safeguarding protected health information used by a covered entity's business partners.