Find out whether your health company's network systems are well enough to pass an internal security checkup, or are running the risk of a much more invasive examination by federal regulators and plaintiff's lawyers.
Daniel J. Langin, 1Attorney at Law, LLC
HIPAA Security Provisions:
Is Your Network Ready
for a Physical?
white paper
Configuration Control for Virtual and Physical InfrastructuresContents
3 Introduction 3 Initial Evaluation: Who, What, and Why of HIPAA 5 Vital Signs: Security Requirements Under HIPAA and the Privacy and Security Rules 7 The Doctor's Orders: Deadlines, Penalties, and Sanctions for Noncompliance 8 Keeping PHI and Systems Healthy: A Prescription for HIPAA Compliance 11 Conclusion: Maintaining Network Health Through Independent Configuration Audit and Control
2 | WHITE PAPER | HIPAA Security Provisions: Is Your Network Ready for a Physical?Introduction
Most people know the formula for good physical health: eat requires companies that create, receive, transmit, or main-right, exercise regularly and undergo an annual checkup. tain health information in an electronic format to meet Fewer people, however, realize that federal law requires a much more detailed set of security standards than the many businesses to follow procedures for good network HIPAA Privacy Rule. More details about the who, what, and "health," especially when it comes to protecting personal why of HIPAA are set forth below.medical information. Because a new set of security-focused regulations under the federal law known as the Health WhoInsurance Portability and Accountability Act (HIPAA) HIPAA applies to entities that are defined in the law as becomes effective in April of 2005, many companies need "Covered Entities." This term is defined in HIPAA to include: to review the health of their systems that create, receive, (1) Health Plans-plans that provide or pay for the cost of transmit, or maintain health information. healthcare; Is your company subject to HIPAA? If so, is it prepared to (2) Health Care Clearinghouses-entities that process/meet the requirements of the Security Rule? Like past (and facilitate information relating to an individual's health, possibly future) HIPAA regulations, April 2005 is the next health care, or health care payment; andcompliance deadline for most entities covered by HIPAA, fol-lowed by an April 2006 deadline for certain smaller entities. (3) Health Care Providers-doctors, dentists, hospitals, Because HIPAA and its rules can be amended, reinterpreted clinics, medical groups, or other providers of medical and supplemented, future deadlines may also arise. Read on services that maintain or transmit health information to see whether your company's systems are healthy enough in an electronic form.to pass an internal security checkup, or are running the risk At first blush, the term "Covered Entities" might seem to of a much more invasive examination by federal regulators limit HIPAA to companies in the health care field. However, and plaintiff's lawyers. this definition creates one of the hidden compliance risks of HIPAA because the term "Health Plans" includes nearly all employer-sponsored group health plans. In fact, the Security Initial Evaluation: Who, What, Rule includes a separate section dedicated specifically to 2and Why of HIPAA group health plans.Just like a good physical examination begins with an initial Few employers, however, may be aware of their plan's evaluation of the patient's appearance, height, weight and responsibilities under HIPAA, including the approach-similar features, the establishment of baseline information ing compliance deadline for the Security Rule. A survey like blood pressure and temperature, a good HIPAA compli- from April 2003 (the compliance deadline for the Privacy ance examination starts with an initial evaluation. Knowing Rule) indicated that only 68% of Health Plans were 3who the law covers, what the law is and why it exists are HIPAA-compliant. Employers ultimately have de facto good first steps toward compliance. responsibility for HIPAA compliance because they spon-To summarize, HIPAA is a federal law that requires com- sor and administer their Health Plans. From a practical panies to adopt administrative, physical, and technical perspective, this means that the definition of Heath Plan measures to protect the confidentiality, integrity, and avail- expands the scope of HIPAA beyond health care companies ability of certain health information. The security section of to virtually any employer that sponsors a Health Plan for its HIPAA and a set ... [download for more]
