ADMINISTRATIVE POLICIES AND PROCEDURES
This section of the regulations establishes a
management structure that identifies roles and responsibilities
for security oversight and operational aspects of data management.
This formalized plan demonstrates the organization's commitment
to safeguard protected health information (PHI). The plan has established
security goals that facilitate prevention, detection, containment
and correction of security breaches. All covered entities must document
the execution of the compliance plan, including regular reports
to senior management about the program and education of how security
values, policy and processes are effectively communicated to employees.
All covered entities will be required to ensure
the physical safety of PHI as well as the hardware used to store
and transmit it. These measures include physical access and media
controls, secure workstation locations and detailed polices and
guidelines on workstation use. These guidelines will include measures
such as supervision of contractors in secure areas, maintaining
an audit trail of all access and establishing appropriate controls
when sending equipment off site. All employees should be trained
in appropriate physical safeguard and security practices.
TECHNICAL SECURITY SERVICES
Technical security services protect, control and
monitor access to information. These include the authentication
of data and entities involved in transaction processing as well
as establishing and maintaining audit controls.
TECHNICAL SECURITY MECHANISMS
The prevention of unauthorized access to electronically
transmitted data is provided by technical security mechanisms. These
establish procedures regarding communications and network controls
for data in transit that include integrity controls, alarms and
adverse event reporting.
HIPAA REGULATIONS: COMPLIANCE SCHEDULE
The Department of Health and Human Services has
published Notices of Proposed Rule Making (NPRM) and is in the process
of publishing the final rules, as well as implementation guidelines
for each of the HIPAA-related regulations. The following summarizes
the current status and timing for each of the HIPAA regulations:
|EDI Transactions and Code Sets
||October 16, 2002 or 2003 with ASCA
|National Provider Identifier
|Standard Unique Employer Identifier
||July 30, 2004
|National Health Plan Identifier
|National Individual Identifier
||April 14, 2003
*It is anticipated that the data security regulations
will be finalized in 2002.