CIO Features Guide to Compliance With HIPAA Security Rule
An article in the current issue of CIO looks at how health care organizations can begin preparations for the HIPAA security rule, which takes effect in 2005. So far, fewer than 10% of HCOs have implemented the required security policies and procedures, and -- based on the 22% of covered entities that failed to meet the privacy rule deadline earlier this year -- many organizations may postpone their compliance programs and wait to see what happens to noncompliant entities, CIO reports. "They figure the fines are cheaper than going into HIPAA compliance," Wes Rishel, vice president and research area director at consulting group Gartner, said, adding, "That's a dangerous attitude."
CIO recommends several steps that can prepare organizations for the security rule, including those listed below.
- HCOs should establish a security team and appoint a head of security.
- HCOs should determine which electronic patient data is considered protected health data and which employees can access certain patient information.
- HCOs should conduct a security audit to determine their vulnerabilities and evaluate which safeguards are cost-effective with respect to the price of a potential security breach.
CIO recommends that HCOs begin the technical side of compliance by April 2004. After the April 2005 deadline has passed, organizations should continue to focus on assessing and, if needed, modifying their security programs (Dragoon, CIO, 7/1). This is part of the California Healthline Daily Edition, a summary of health policy coverage from major news organizations. Sign up for an email subscription.