Health Insurance Portability and Accountability Act Security Rule To Take Effect
Physicians, hospitals, insurance companies and other health professionals on Thursday will be required to be in compliance with the Health Insurance Portability and Accountability Act security rule, the Wall Street Journal reports.
The new rule applies to the electronic, administrative and physical security of health information and establishes 13 standards with which health care providers must comply. It requires health groups to have on staff a chief information security officer, perform an analysis of security risks, take safeguards to address security vulnerabilities and train employees on compliance.
Violators of the rule are subject to a $250,000 penalty and 10 years in prison. Karen Trudel, HHS deputy director of HIPAA standards, also noted that a provider who is not in compliance risks a security breach and a "badly tarnished reputation," the Journal reports.
However, HHS officials have not yet "aggressively" monitored for lapses, an indication that "the regulations give the providers and insurers some latitude on how to comply," the Journal reports. In fact, the rule states that it is "impossible to dictate a specific solution" for all care providers.
The rule is the third installment in a series of HIPAA rules. Previous rules have aimed to standardize the format for submitting and processing medical claims and limit who may have access to an individual's medical records. The HIPAA rules also have made it easier for patients to obtain their own records and request changes if they perceive an error.
According to the Journal, the cost of complying with the regulations is "substantial." The American Hospital Association estimates that hospitals will spend $22 billion over five years to comply with the second HIPAA regulation. Surveys have indicated that many providers are not in compliance with HIPAA standards (Conkey, Wall Street Journal, 4/21).