|
Secretary Delegates HIPAA Security to OCR On August 3, 2009, the Secretary of Health and Human Services (HHS) delegated to the Director of OCR the authority to administer and enforce the HIPAA Security Rule. This action by Secretary Sebelius will improve HHS' ability to protect individuals' health information by combining the authority for administration and enforcement of the Federal standards for health information privacy and security called for in the HIPAA. The transition of authority for the administration and enforcement of the Security Rule from the Centers for Medicare & Medicaid Services (CMS) is expected to be seamless with no interruption in the management or processing of any complaints filed prior to the transition. For a limited time, consumers may continue to submit HIPAA security complaints using CMS' online resource - the Administrative Simplification Enforcement Tool (ASET). To access this tool, please see the link in the Related Links Outside CMS section below. New security complaints may also be sent directly to the Office for Civil Rights. For more information and detailed instructions on how to submit a compliant to OCR, visit the OCR website, which is located in the Related Links Outside CMS section below. The transition of security complaints from CMS to OCR has no impact on how complaints about Transactions and Code Sets or Unique Identifiers are filed or processed. CMS retains its enforcement authority for these other HIPAA rules. To view the Federal Register Register notice of the Delegation Authority and the Secretary's press release, please the Related Links Inside CMS section below. Security Standard The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. The National Institute of Standards and Technology (NIST), published its "Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP 800-66 REV 1)." In an ongoing effort to provide HIPAA covered entities with resources related to HIPAA security, NIST published a Special Publication 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This special publication (SP), discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule. The publication was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards sets out in the Security Rule. It also, directs readers to helpful information in other NIST publications on individual topics that the HIPAA Security Rule addresses, and aids readers in understanding the security concepts discussed in the HIPAA Security Rule. Please note that this publication does not represent guidance published by or on behalf of CMS nor does it supplement, replace, or supersede the HIPAA Security Rule which is enforced by CMS. To view this document, please see the link in the Related Links Outside CMS section below. HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information CMS prepared this guidance to provide HIPAA covered entities with general information on the risks and possible mitigation strategies for remote use of and access to Electronic Protected Health Information (EPHI). This guidance document sets forth CMS' minimal compliance expectations for covered entities seeking to safeguard EPHI that is accessed, stored or transported offsite. Please note however that this document does not seek to provide a comprehensive list of risks and mitigation strategies but rather a general list of suggestions for organizations that require remote use of sensitive health information. To view this document, please see the link on the Download section below. HIPAA Security Educational Paper Series There are seven papers in the HIPAA Security Educational Paper Series. The papers are focused on a specific topic related to the Security Rule: "Security 101 for Covered Entities", "Security Standards Administrative Safeguards", "Security Standards Physical Safeguards", "Security Standards Technical Safeguards", "Security Standards Organizational, Policies and Procedures and Documentation Requirements", "Basic of Risk Analysis and Risk Management", and "Security Standards Implementation for the Small Provider" and are designed to give HIPAA covered entities insight into the Security Rule, and assistance with implementation of the security standards. To view these papers, see the link in the Related Links Inside CMS section below.
Page Last Modified: 08/04/2009 12:25:58 PM
Help with File Formats and Plug-Ins
Submit Feedback
|
Email
Print