One Year to HIPAA Security Rule Compliance

One year from today—April 21, 2005—everyone who handles Electronic patient Protected Health Information (EPHI) is required to comply with the Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (except for small health plans, who have until April 21, 2006). This rule is codified as 45 CFR Parts 160, 162, and 164: “The security standards...define administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. The standards require covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission.” Compliance with HIPAA Security will become a cottage industry over the next two years as even single-doctor practices who use a computer to store patient information will discover that they are subject to this rule. In a Security Focus article, Steven Weil explains the rule and its implications, but the article targets Security and IT professionals and not doctors, many of whom are completely unaware of their responsibilities under this rule. If you own a building that leases space to doctors and you provide Internet connectivity to your tenants, and they transmit EPHI over the network, you come under this rule! A Google search on “HIPAA Security Rule” produces over 8,000 results, most of them (it seems) targeting Information Security Professionals in the health care industry, but there is some hope for the small practice in the form of products like TurboCharge HIPAA Security which for a relatively nominal fee ($495) promises to provide all the tools to bring your practice into compliance. I do not envy those who have to wade through this stuff, but for out of work IT pros who need to pull in some much needed dineros, a few good HIPAA compliance tools coupled with a little marketing savvy could easily spell a successful HIPAA compliance consultancy. (Q: What do you call an unemployed IT professional? A: A consultant!). I'm almost tempted myself...no just tempted. But you could do it...really!

Posted by trygstad | Category: InfoTech | 10:13 PM