Where to find statement of HIPAA security standards

Where to find statement of HIPAA security standards

Where can I find a clear and concise statement of HIPAA security standards on which I can evaluate my WAN?

So far I have found thousand of pages regarding privacy or new formats for claims, eob's and eligibility verification. But where is the criteria against which I can judge or configure my Windows 2000 WAN?


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The HIPAA security rule is still in its proposed form, but it's most likely not going to change much once it's finalized (supposedly in October 2002). You can view the current draft of the security rule at http://aspe.os.dhhs.gov/admnsimp/nprm/secnprm.pdf. In a nutshell, the rule is divided into four categories: Administrative Procedures with 12 requirements; Physical Safeguards with six requirements; Technical Security Services with five requirements; and Technical Security Mechanisms with one requirement. In addition, there's currently an electronic signature standard, but word has it that this will be dropped in the final version of the rule.

Like any good security standard, the HIPAA security rule is based more on policies, procedures and business processes than it is on technology. The requirements are designed to be scaleable and technology neutral, thus there are no specific technology requirements for system hardening, encryption algorithms, security infrastructure, etc. The rule tells you what to do, not how to do it. There's a chance that the final security rule will be based on NIST, ISO or other security standards, which will make it much easier to find documentation on how to implement the proper systems and comply. For more information on the HIPAA security rule, check out the following URLs:

Frequently asked questions about security and electronic signature standards
HIPPAdvisory standards for security and electronic sigantures
HIPAA security rule FAQ
Five good reasonds to get started on HIPAA security compliance

For more information on this topic, visit these SearchSecurity.com resources:
Best Web Links: Health care/health services
News & Analysis: HIPAA is a strategic enabler
News & Analysis: Experts answer users' HIPAA questions


This was first published in September 2002