The Department of Health and Human Services today will release the security rules section of the Health Insurance Portability and Accountability Act (HIPAA).
The final rules provide broad guidelines to health care organizations and providers who must comply with the regulation -- which represents a significant departure from the proposed rules that have been in circulation for some time. The draft security rules described specific technical requirements.
The final security rules, for example, make risk assessments mandatory and state that security policies and procedures must be documented.
The rules go into effect April 21, and companies will have two years to come into compliance with them. Small organizations -- those that have fewer than 50 employees -- will have three years.
"Some people want a checklist, but that is not the case," said Kevin Beaver, president of the Atlanta-based information security consulting firm Principle Logic LLC. The rules are a little easier to understand in at least one way, because they use similar terminology as the HIPAA privacy rules. For example, things are labeled as being administrative, physical or technical, Beaver said.
The lack of specifics in the security rules is probably not much of an issue to large organizations that have security staffs, said Marne Gordon, director of regulatory affairs for managed security services provider TruSecure Corp., in Herndon, Va. Enterprises have probably done risk assessments before and have the knowledge and experience to implement the rules. Smaller firms won't fare so well. They will likely have to hire outside help to become compliant, because the rules themselves won't offer them much guidance.
For example, previously the rules talked about organizations having to have firewalls in place and keeping all unused services turned off. The final security rules now only mandate that an organization must have a device to screen traffic from the Internet. "This means a firewall, but it doesn't say it specifically," Gordon said.
Another example of the ambiguity is with employee-termination procedures. There are few specifics about how they should look, said Gordon, who advises that organizations set policies for handling such situations, including gathering all company property from a departing employee, including computers and security ID tokens. E-mail and other user privileges should be cancelled right away as well.
The rules do offer a lot of flexibility, which is perhaps necessary to cover all the organizations that fall under the auspices of HIPAA. Pretty much, any organization that "transports, creates, stores or can see" private health information is required to meet the requirements, Gordon said.
The rules are also pretty scalable, meaning they will work for a variety of organizations, from a large corporation to a rural doctor's office, Beaver said. "It's not set in stone that you need to implement a specific technology," he said.
One issue with HIPAA is that it does affect companies outside of the health care industry. For example, application service providers and data warehousing and storage firms can fall under HIPAA guidelines, Gordon said. However, employers are exempted from the requirements.
Companies must realize that complying with the security rules and being secure are two distinct issues, Gordon said. She recommends that companies think of compliance and security in parallel so they will meet the requirements of the rules but also have good security practices in place.
Yet companies that have to comply with the security rules don't necessarily need to buy a lot of expensive firewalls or encryption applications, Beaver said. In a lot of cases, improving security and reaching compliance is more about policies and procedures than technology. "A lot of the cost lies in the cultural changes," he said.
FOR MORE INFORMATION:
- FEEDBACK: Are the final HIPAA security rules too broad?
Send your comments to News Writer Edward Hurley.