HHS lightens load in final security rules - HIPAA Update

Health Management Technology, April, 2003

After four years of development, proposal and comment, HHS issued final HIPAA security standards that are less prescriptive and more inviting of varied approaches to protect personal health information that is stored or transmitted electronically. The 289 pages of regulations are more flexible and will lighten the compliance burden for healthcare providers, both in terms of required implementation and cost.

"The revisions reflect a substantial move away from the specifics of technology implementation in favor of emphasizing security management principles and broad management controls as the primary vehicles for protecting patient health information," says Tom Grove, vice president of Phoenix Health Systems. "The final rule offers more high-level guidance, providing what is essentially a model for information security, with less specific guidance on how to implement the model."

A key revision in the final security rules was "downgrading" more than 20 provisions from "required" to simply "addressable." In the final rule, it is up to healthcare facilities to determine whether addressable actions are reasonable and appropriate, considering risk analysis, cost to implement programs and measures already in place, among other factors. For instance, entities are no longer automatically required to encrypt all e-mails that contain protected health information. Instead, they must determine which e-mail traffic requires encryption or other security measure, if any. HHS did caution that cost factors alone will not free organizations from the responsibility of providing adequate security.

Jim Klien, Gartner Research analyst, says this approach may encourage doctors in small group practices to use unencrypted e-mail for routine exchanges with their patients, such as requests for appointments and prescription renewals. Such communications carry low risks but yield significant benefits. Likewise, Klein says, large healthcare organizations "will rethink the forced march to universal encryption." Emphasis may shift from e-mail security to content filtering.

Most covered entities have two years--until April 21, 2005--to comply with the new security standards. Many healthcare organizations had hoped HHS would delay HIPAA's privacy compliance dates to coincide with the security timetable. But in its February actions, HHS indicated it would stick to the current timetables for the established privacy and transactions code sets standards. Most healthcare facilities must meet requirements under the privacy regulations by April 14--this month.

The full text of the security rules is available at www.rsleads.com/304ht-213.>

COPYRIGHT 2003 Nelson Publishing

COPYRIGHT 2003 Gale Group