HIPAA Security Standards for the Protection of Electronic Protected Health Information
The Final Rule adopting HIPAA standards for the security of electronic protected health information was published in the Federal Register on February 20, 2003. Most covered entities had to comply with the Security Rule by April 20, 2005. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
The Office for Civil Rights (OCR), which is a part of the U.S. Department of Health and Human Services (HHS), is responsible for implementing and enforcing the Security Rule. The OCR website is http://www.hhs.gov/ocr/hipaa.
Additional Security Resources
The Computer Security Division (CSD) is one of eight divisions within the National Institute of Standards and Technology's (NIST) Information Technology Laboratory. NIST's CSD supports the intelligent management of IT risks, vulnerabilities and protection needs.
NIST's CSD develops computer security prototypes, tests, standards, and procedures to protect sensitive information from unauthorized access or modification. These publications present the results of NIST studies, investigations, and research on information technology security issues.
NIST's CSD has developed a DRAFT Introductory Resource Guide for Implementing the HIPAA Security Rule (NIST SP 800-66), which is an excellent resource for covered entities implementing the NIST HIPAA Security Rule document.
For the full list of NIST Security publications, visit NIST's CSD publications library at: http://csrc.nist.gov/publications/index.html
Adobe Acrobat Reader is required to view the file(s) above. Download a no-cost version.
HITECH (Health Information Technology for Economic and Clinical Health)
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html, a provision that provides for privacy and security of patient health information. Part of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub L 111-5, 123 Stat 115), the HITECH Act significantly modifies the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat 1936). The HITECH Act adds new requirements concerning privacy and security for health information directly affect many entities. Specifically, the HITECH Act:
- Directly applies the HIPAA security standards to business associates. Business associates are subject to the administrative, physical, and technical security requirements of HIPAA, must implement appropriate policies and procedures, and must document their security activities. Penalties for violating these HIPAA standards will apply to business associates, just as they now do to covered entities including health plans and health care providers.
- Establishes new breach notification requirements. The HITECH Act will require that covered entities notify each individual whose health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of a breach of unsecured PHI. Business associates are required to notify covered entities of breaches of unsecured PHI. Covered entities are required to give notice of the breach without unreasonable delay, and no later than 60 calendar days after its discovery.
- Strengthens enforcement by increasing fines and adding a new tiered penalty scheme.