DHHS Releases Final HIPAA Security Standards

  1. Home
  2. News & Insights
  3. DHHS Releases Final HIPAA Security Standards

The final Security Rule, issued pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), was published in the Federal Register on February 20, 2003. Most covered entities will have until April 21, 2005 to comply. Small health plans have until April 21, 2006.

The Security Rule requires covered entities to impose specific administrative, technical and physical safeguards to ensure the confidentiality, integrity, and availability of all individually identifiable health information that is maintained or transmitted electronically. As with the HIPAA Privacy Rule, the Security Rule is intended to be "scalable", meaning the safeguards a particular covered entity must impose will vary depending on its size and the actual risks. The Security Rule creates required and addressable safeguards. Required safeguards are those that all covered entities must have, including a risk analysis, sanctions for violations and policies and procedures for workstation use and security. Addressable safeguards are more flexible and are required to the extent they are "reasonable and appropriate" for a particular covered entity. Whether an addressable safeguard is reasonable and appropriate will depend on various factors, including an entity's risk analysis, risk mitigation strategy, the type of security measures already in place, and the cost of implementation. Examples of addressable safeguards include encryption and decryption, log-in monitoring and protection from malicious software.

Our firm will provide further guidance on the Security Rule later this spring. In the meantime, questions regarding compliance with the HIPAA security, privacy or electronic transactions standards may be addressed to Heather Van Roo, Client Services, at 414-298-8437 or 800-553-6215 or hvanroo@reinhartlaw.com."


Related Practices