EXPERT RESPONSE
The HIPAA security rule is still in its proposed form, but it's most likely not
going to change much once it's finalized (supposedly in October 2002). You can
view the current draft of the security rule at
http://aspe.os.dhhs.gov/admnsimp/nprm/secnprm.pdf. In a nutshell, the rule is
divided into four categories: Administrative Procedures with 12
requirements; Physical Safeguards with six requirements; Technical Security
Services with five requirements; and Technical Security Mechanisms with one
requirement. In addition, there's currently an electronic signature standard,
but word has it that this will be dropped in the final version of the rule.
Like any good security standard, the HIPAA security rule is based more on
policies, procedures and business processes than it is on technology. The
requirements are designed to be scaleable and technology neutral, thus
there are no specific technology requirements for system hardening, encryption
algorithms, security infrastructure, etc. The rule tells you what to do, not
how to do it. There's a chance that the final security rule will be based on
NIST, ISO or other security standards, which will make it much easier to find
documentation on how to implement the proper systems and comply. For more
information on the HIPAA security rule, check out the following URLs:
Frequently asked questions about security and electronic signature standards
HIPPAdvisory standards for security and electronic sigantures
HIPAA security rule FAQ
Five good reasonds to get started on HIPAA security compliance
For more information on this topic, visit these SearchSecurity.com resources:
Best Web Links: Health care/health services
News & Analysis: HIPAA is a strategic enabler
News & Analysis: Experts answer users' HIPAA questions
|
