CMS Issues Final HIPAA Security Rule and Transaction Set Regulation

On February 20, the Centers for Medicare & Medicaid Services (CMS) issued two final rules implementing provisions of the Health Insurance Portability and Accountability Act (HIPAA).

Proposed Security Rule

Final Security Rule
Chain of trust agreement is the contractual mechanism used to protect electronically transmitted PHI. Additional business associate requirements are the contractual mechanism to protect electronically transmitted PHI.
Standards are grouped in four categories (administrative safeguards, physical safeguards, technical security services, technical security mechanisms). To reduce duplication, standards are grouped in three categories (administrative, physical, and technical safeguards).
Stand-alone definitions in the proposed Security Rule did not match up with the privacy or transaction set regulations. Most definitions now apply across the security, privacy, and transaction set regulations (45 CFR, Parts 160 and 162).
HIPAA Security Rule: The final HIPAA Security Rule, issued after a four-year delay, establishes protections for individual health information held in electronic form. The compliance date for the Security Rule is April 21, 2005, meaning that covered entities have 26 months to implement the security standards. For each security standard, the Rule set forth implementation specifications, which are further classified as either "required" or "addressable." While the required items are literally required, the addressable items can be understood as one of several implementation options that can be used to meet the intent of a specific standard. The final Rule is technology-neutral and does not identify specific products or services that should be used to meet the security requirements, and it cites cost as an explicit factor in a covered entity's decision-making process about how to implement security, thereby creating a more reasonable set of implementation expectations. Also, the underlying concepts of the final Security Rule have been synchronized with the privacy and transaction set regulations (see chart). If you have questions or comments about the final Security Rule, please contact Susan Stuard at GNYHA.

Transaction Set Regulation: The final "Modifications to the Transactions and Code Sets" rule adopts several positive changes for the HIPAA transaction set implementation specifications. Providers believe that the modifications are essential to permit implementation of the transaction sets. CMS adopted several of the changes recommended in GNYHA's May 31 comment letter, including elimination of several of the more onerous transaction set requirements. The detailed changes are published as addenda to the implementation guides, which are available at www.wpc-edi.com. This regulation is effective on March 24, 2003. The deadline for compliance with the HIPAA transactions and code sets is October 16, 2003. If you have any questions about the HIPAA transaction sets, please contact Ellen Lukens at GNYHA.

 
 

This page, and all contents, are © Copyright 2006 by Greater New York Hospital Association, 555 West 57th Street, New York, NY 10019. Phone: (212) 246-7100. Fax: (212) 262-6350. All rights reserved.
GNYHA Terms & Conditions. | Careers at GNYHA.