Originally published January 24, 2005
Compliance deadlines for the Security Rules implemented under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are fast approaching. In fact, the rules require compliance no later than April 20, 2005, for all covered entities except small health plans.
To comply, health plans, health care clearinghouses, Medicare prescription drug card sponsors and most health care providers will need to implement administrative, physical and technical safeguards for electronic data that the organizations store and/or transmit. Prior to implementing such safeguards, these covered entities will need to assess potential risks and vulnerabilities of the electronic protected health information they maintain or transmit and evaluate their existing security measures in an effort to determine what additional security measures are needed to reduce the risks and vulnerabilities to an appropriate level.
Covered entities will need time to prepare in advance of the actual compliance deadline because in addition to the aforementioned risk assessments and safeguards, they will need to appoint a security official, develop contingency plans, develop and implement policies and procedures to demonstrate compliance, and train workforce members on security standards and procedures.
The Centers for Medicare & Medicaid Services (CMS) will monitor compliance with the HIPAA Security Rules. Violating these rules can result in both civil and criminal penalties. Unintentional violations may result in civil penalties of up to $25,000 per year. Intentional violations can draw more severe fines or criminal sanctions.
The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.
