HIPAA CLIPS HIPAA Clip No. 05-01 Now that the deadline for HIPAA security compliance has come and gone, we're changing our weekly HIPAA Security Tips into monthly (or so) HIPAA Clips. We'll cover new developments and include a tip or two on select topics in both the privacy and security realms. Security Evaluation Testing Think you are "finished" with HIPAA security? Think again. The final security standards include a requirement for evaluation testing. Covered entities must periodically conduct both a technical and nontechnical analysis to determine whether their policies and procedures meet HIPAA standards. The "technical" analysis is covers standards relating specifically to information systems. The "nontechnical" analysis covers all other security standards. For the most part, the "administrative safeguards" and the "organizational requirements" categories of standards will be nontechnical. Like the implementation team, the evaluation team should include members with both technical and non-technical expertise. The rule does not specify an interval for conducting evaluations. At a minimum, compliance should be evaluated annually. A covered entity's risk analysis may indicate a shorter interval - - the higher the criticality of the data, the more frequently its protections should be assessed. This is one case in which the size of the entity is not particularly important - - even small entities should evaluate more frequently if their system houses sensitive data. In any event, significant changes in the information system (such as a software upgrade or the addition of new hardware) or in the IS environment (announcement of a major security risk or new and improved HIPAA requirements) should trigger an evaluation even if it occurs between scheduled reviews. Proposed Enforcement Rule Released On April 18 the Department of Health and Human Services released a revised HIPAA enforcement rule. The proposed rule would amend the existing rules relating to the investigation of non-compliance to make them apply to all of the HIPAA standards (including the security standards), not just the privacy standards. Comments on the proposed rule must be delivered to HHS by June 17, 2005. The proposed rule may be downloaded from the Office of Civil Rights in .pdf format: http://www.hhs.gov/ocr/hipaa/enforNPRM.pdf or .html: http://www.hhs.gov/ocr/hipaa/enforNPRM.htm Of Interest: The Law of Unintended Consequences "In a paper published in the Archives of Internal Medicine, researchers from the University of Michigan Cardiovascular Center report how their research on heart attack care has been hampered by the national medical privacy regulations under a law known as HIPAA, which took effect two years ago last month. " For the full story, see: http://www.medicalnewstoday.com/medicalnews.php?newsid=25307 -------------------------------- HIPAA Clips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas. If you would like to receive HIPAA Clips by email, simply write to hipaa@icrh.com with "Subscribe" in the subject line. HIPAA Clips are a free service available to anyone. HIPAA Clips are written for general information and educational purposes only and are not intended to provide legal advice. © 2005 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction. All other rights reserved. To Top