Government publishes HIPAA security standards

More than four years after it first proposed health information security standards, the Department of Health and Human Services (DHHS) published a trimmed-down final version of the standards on Thursday.

The publication of the "final rule" for health information security standards as part of the 1996 Health Insurance Portability and Accountability Act (HIPAA) met with mixed reaction from health-care experts, with some saying a lack of specific requirements will create confusion in the health-care industry, and others applauding the government's hands-off approach. The final rule was announced last week and published in the Federal Register Thursday.

Most of those asked about the final rule were still digesting the almost 300 pages of changes and modifications to the government's first draft and said that it was too early to tell what effect it will have.

"(The standards) haven't been out long enough for me to absorb everything yet, but I don't think they've dramatically changed," said Pat Johnston, director of health information privacy and security at Texas Health Resources, a nonprofit health network based in Arlington.

The security standards establish protections for electronic health information, implementing requirements laid out in the Administrative Simplification subtitle of the HIPAA legislation. The standards directly affect the way health plans, health-care clearinghouses and certain health-care providers handle patients' private health information, requiring a number of steps to comply with the law.

Among other things, affected entities are required to:

• Conduct a thorough risk analysis of their organizations and review electronic information handling procedures, information system activities and policies to develop measures that ensure the integrity of patient health information.
• Develop clear policies for detecting and reporting security violations, as well as contingency and disaster recovery plans to guard against patient data loss.
• Make business associates and partner companies aware of security policies and procedures, either through written contracts or other less formal means.

Noticeably, however, the government backed away from many of the requirements it laid out when the standards were first proposed in 1998, after health-care organizations complained that implementing those requirements would be prohibitively expensive.

The IDG News Service is a Network World affiliate.