| |
| |
| |
| Posted on: Wednesday, January 25, 2006 |
| |
Large Health Plans (those with greater than $5 Million in Annual receipts) had to comply with the HIPAA Security Rule last year as of April 20, 2005. Small Health Plans (those with less than $5 Million in Annual receipts) must comply by April 20, 2006.
As a brief background, the Security Rule applies to Electronic Protected Health Information (EPHI) that is transmitted by, or maintained in, electronic media. Electronic media includes storage media such as hard drives, magnetic tape or disks, and digital memory cards. It also includes transmission media such as the internet, intranets, leased lines, dial-up lines, private networks, and the physical movement of electronic storage media.
While the Security Rule specifies the standards and implementation specifications a health plan, or Covered Entity (CE) must follow, it intentionally does not plot the exact steps the CE must take. Instead, the Security requirements were designed to be technologically neutral and scalable to any size organization. To assist CE’s in their compliance, the department of Health and Human Services (HHS) has published a series of papers No. 1 through 7, each focused on a specific topic related to the Security Rule. These should be mandatory reading for an organization’s HIPAA compliance team. While there is no one approach that will guarantee a successful implementation of all the security standards, the HHS series papers aim to explain specific requirements, the thought process behind those requirements, and possible ways to address the provisions.
First Step Towards Compliance
The CE must conduct a risk analysis, which includes a thorough review of the plan’s operations to determine whether the plan creates, receives, maintains, or transmits EPHI. If the Plan does, the CE must develop and document their risk management plan that will address each of the three Security areas – administrative, physical, and technical safeguards. CE’s must ensure, to the extent feasible, EPHI is protected from inappropriate access, modification, dissemination, and destruction. Specifically, a CE must:
1. Ensure the confidentiality, integrity, and availability of all electronic PHI that CE
creates, receives, maintains, or transmits;
2. Protect against any reasonably anticipated threats or hazards to the security or
integrity of such information;
3. Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required under the Security Standards;
and
4. Ensure compliance by their workforce of the Standards.
Administratively, several documents must be amended, such as:
1. Business Associate Agreement (BAA) where the Business Associate creates, receives, maintains and/or transmits electronic PHI on the Plan’s behalf. The Security Rule imposes some additional requirements upon the Business Associate, such as reporting to the CE any "security incident" of which it becomes aware. A security incident is defined as:
"The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system involving PHI that is created, received, maintained or transmitted by or on behalf of the CE in electronic form."
2. Applicable Plan Document(s) must be amended to provide that the Plan Sponsor will reasonably safeguard the electronic PHI created, received, maintained or transmitted to or by the Plan Sponsor on behalf of the Plan. The amendment sets forth obligations and prohibitions the Plan Sponsor must carry out.
Your Denman specialist is available to meet with you to discuss this in more detail and to review the amendments necessary for your Plan’s BAA and Plan Documents.
Should you have any additional employee benefit questions or would like to discuss this material in detail, please don’t hesitate to call the Denman Team.
For additional information on this topic, please refer to:
CMS Security Standard Guidance
Final HIPAA Privacy and Security Regulations
|
| |
 |
| |
| Information
on this site is for general information only. It does not constitute
nor should it be construed as legal, financial, health or any
other kind of professional advice. This site makes no claims,
promises or guarantees about the accuracy, completeness, or
adequacy of the information contained in or linked to this website. |
| |
| |
|
| |
| |
|
