Other HIPAA Information

HIPAA Enforcement

On February 16, the Final Rule on HIPAA Enforcement was published in the Federal Register. The regulation can be viewed at:
http://a257.g.akamaitech.net/7/257/2422/01jan20061800/edocket.access.gpo.gov/2006/pdf/06-1376.pdf. The Final Rule adopts the complete regulatory structure for implementing the civil money penalty authority of the Administrative Simplification part of HIPAA (SSA, section 1176), completing the structure begun when the Privacy Rule was issued in 2000 and expanded by the interim final procedural enforcement rules issued in 2003. The Final Rule covers the enforcement process from its beginning, which will usually be a complaint or a compliance review, through its conclusion. A complaint or compliance review may result in informal resolution, a finding of no violation, or a finding of violation. If a finding of violation is made, a civil money penalty will be sought for the violation, which can be challenged by the covered entity through a formal hearing and appellate review process. These rules apply to covered entities that violate any of the rules implementing the Administrative Simplification provisions of HIPAA.

TOP

Security Final Rule

February 20, 2003 Health insurers, certain health care providers and health care clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care. The rule can be viewed at http://www.cms.hhs.gov/SecurityStandard/ Covered entities (except small health plans) must comply with the security standard by April 21, 2005. Small health plans have an additional year to comply.

HIPAA Security Series
HHS has posted five papers in the HIPAA Security Educational Paper Series. The Five papers are currently available: "Security 101 for Covered Entities", "Security Standards-Administrative Safeguards", "Security Standards - Physical Safeguards", "Security Standards-Technical Safeguards" and "Security Standards-Organizational, Policies and Procedures and Documentation Requirements". When a new paper in the series is available, it will be immediately posted to the website. To view the papers go to: http://www.cms.hhs.gov/SecurityStandard/

Security Guidance
Security Guidance is available at http://www.cms.hhs.gov/SecurityStandard/

The Workgroup for Electronic Data Interchange (WEDI) has posted white papers to its site that will assist in meeting the HIPAA requirements. These papers were developed through the Security and Privacy Workgroup of WEDI's Strategic National Implementation Process (SNIP). These papers include a Risk Analysis White Paper, Employer Issues White Paper, Small Practice Security Implementation White Paper, Disaster Recovery and Contingency Planning White Paper. Other useful security white papers can be found on WEDI's site at http://wedi.org/snip/public/articles/dis_publicDisplay.cfm?docType=6&wptype=2

October 2008 The National Institute of Standards and Technology (NIST), published its "Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP 800-66 REV 1)" on October 24th as final. It is accessible to the public via the following web link: http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

August 2009 HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights Press Release

TOP

Employer ID Final Rule

May 31, 2002 The final rule adopting a standard for a National Employer Identifier was released. This standard will be the Employer Identifier Number issued by the Internal Revenue Service. The final rule can be viewed at: http://aspe.hhs.gov/admnsimp/bannerid.htm.

TOP

DSMO

The Secretary of Health and Human Services designated NCPDP as one of the Designated Standard Maintenance Organizations (DSMOs). These organizations maintain standards for health care transactions adopted by the Secretary, and receive and process requests for adopting a new standard or modifying an adopted standard. The DSMO website is www.hipaa-dsmo.org

TOP