Final HIPAA Rules Hit The StreetFinal HIPAA Rules Hit The Street

The final standards for protecting the security of health-care information within electronic transactions, adopted by the Bush administration, will be entered into the Federal Register on Thursday. While these final rules take effect on April 21, large health-care organizations have until April 2005 to comply with the regulations. Smaller ones are given an additional year to comply.

While the 289-page summary of security rules doesn't mention any specific technologies be used to secure electronic health-care information, it does require health-care companies develop, implement, and carefully document the measures they take to ensure that such information remains secure. The security standards establish baseline safeguards for health-care organizations to deploy administrative safety measures (such as security training and security assessments), physical security (such as restricting physical access to certain systems), and technological safeguards (such as electronic signatures and passwords) to ensure protected information remains confidential, isn't altered, is readily available, and isn't accessed without authorization.

While the security rules are established to protect the actual information electronically stored and transmitted, the privacy rules that go into effect in April focus on how protected health information is to be controlled through policies establishing who has access to that information and what specific rights patients have regarding their personal health-care information.

"Overall, these national standards required under HIPAA will make it easier and less costly for the health-care industry to process health claims and handle other transactions while assuring patients that their information will remain secure and confidential," Tommy Thompson, Secretary of Health and Human Services, said in a statement. "The security standards in particular will help safeguard confidential health information as the industry increasingly relies on computers for processing health-care transactions."

Pete Lindstrom, research director with Spire Security, says the final rules removed many of the technical requirements, present in earlier drafts, that may have dictated health-care organizations deploy certain types of security applications. "They removed the requirement for digital signatures and chose much less technically strict electronic signatures," Lindstrom says. "They want health-care providers to be able to choose the types of security technologies they feel are appropriate for their own organization and systems. ... The final rules highlight that information security is an ongoing process of risk management." He notes that as a result of the final security rules, health-care organizations are going to have to carefully establish security policies and procedures and document why they chose certain tactics and technologies to secure their systems.

Security vendors hoping to find a sales boon in the final rules are going to be disappointed. "There's nothing that says you have to buy certain security technologies," such as intrusion-detection systems, firewalls, or digital certificates, Lindstrom says.

While the lack of technological specifics about how organizations need to go about securing their information may make HIPAA compliance easier in some ways, in other ways, it will be more difficult for health-care providers to understand whether they are in compliance, Lindstrom says. "They're going to have to do their security homework, take a thoughtful approach to security, and be able to justify their polices," he says. But without steadfast rules, "this is going to be a free-for-all for a long time."