The US Department of Health and Human Services (HHS) released the regulation in part to answer questions surrounding chain-of-trust agreements and business associate accords, according to Washington-based legal publisher BNA.
The questions stemmed from the 1998 release of a preliminary security rule. That release contained a single sentence mentioning the need for chain-of-trust agreements to ensure the security of personal health information when transferred from a covered entity to a non-covered entity. The final HIPAA privacy rule includes a requirement of business associate agreements for much the same purpose.
Along with the final security rule, HHS also issued modifications to the final transaction and code set regulation, including the repeal of the National Drug Code. The documents are scheduled for publication in the February 20 Federal Register.
The delayed release of the security rule has HHS facing mounting criticism. Among the complaints was the difficulty of complying with the privacy rule by April 14, 2003 without knowledge of the details of the security rule.
With the release, HHS has promised to issue guidance on the final security rule, although it did not set a deadline for its release.
Among the differences from the preliminary security rule and the final version are changes to terms and definitions to make them identical to those in the privacy rule. Additionally, HHS removed the electronic signature requirements from the rule, although it appears that this mandate will be included in a separate regulation, an action that was widely anticipated, according to BNA
“Under the security standards announced today, health insurers, certain health care providers and health care clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity and availability of electronic protected health information,” HHS said in a statement. “The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care.”
HHS, recognizing the need to streamline the regulation, cut the number of mandatory implementation specifications from 69 in the preliminary rule to 13 in the final rule. Additionally, the final rule makes no distinction between internal and external data movement, with security procedures required of both.
“[T]his final rule covers electronic protected health information at rest (that is, in storage) as well as during transmission,” HHS said. “Appropriate protections must be applied, regardless of whether the data are at rest or being transmitted. However, because each entity’s security needs are unique, the specific protections determined appropriate to adequately protect information will vary and will be determined by each entity in complying with the standards … .”
Plan sponsors wishing to view the final security rule may do so on the Web at http://www.cms.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-2-12-03.pdf . Further, the modifications of the transaction and code set rules are available at http://www.cms.gov/regulations/hipaa/cms0003-5/0003ofr2-10.pdf.