The proposed security rule published in August
1998 requires every covered healthcare organization to have an information
security program in place. It is expected that most of the proposed standards
will be implemented in the final rule once it is published. Publication
of the final rule is expected by September 2002. There is the expectation
that the final rule may contain increased audit requirements as well as
clarification of how paper and oral communications will be affected by
the security standards. It is also expected that electronic signatures
will be covered separately in their own Notice of Proposed Rule Making
The proposed security standard addresses how data is
stored and accessed. It provides the means for safeguarding data integrity,
confidentiality and availability through a documented formal information
security process that includes:
- Administrative Policies and Procedures
- Physical Safeguards
- Technical Security Services
- Technical Security Mechanisms
ADMINISTRATIVE POLICIES AND
This section of the regulations establishes a management structure that
identifies roles and responsibilities for security oversight and operational
aspects of data management. This formalized plan demonstrates the organization's
commitment to safeguard protected health information (PHI). The plan has
established security goals that facilitate prevention, detection, containment
and correction of security breaches. All covered entities must document
the execution of the compliance plan, including regular reports to senior
management about the program and education of how security values, policy
and processes are effectively communicated to employees.
All covered entities will be required to ensure the physical safety of
PHI as well as the hardware used to store and transmit it. These measures
include physical access and media controls, secure workstation locations
and detailed polices and guidelines on workstation use. These guidelines
will include measures such as supervision of contractors in secure areas,
maintaining an audit trail of all access and establishing appropriate
controls when sending equipment off site. All employees should be trained
in appropriate physical safeguard and security practices.
TECHNICAL SECURITY SERVICES
Technical security services protect, control and monitor access to information.
These include the authentication of data and entities involved in transaction
processing as well as establishing and maintaining audit controls.
TECHNICAL SECURITY MECHANISMS
The prevention of unauthorized access to electronically transmitted data
is provided by technical security mechanisms. These establish procedures
regarding communications and network controls for data in transit that
include integrity controls, alarms and adverse event reporting.
To discuss your particular requirements, or for
further information on Equivus products and services, please feel welcome
to call us on 866.378.4887. Alternatively please email info@Equivus.com.