Monday, April 03, 2006

Electronic PHI Security Deadline

We have received questions about HIPAA's Security deadline for small employers. The deadline for compliance is April 20, 2006. It is important that all covered entities (even small group plan sponsors) take the same steps toward HIPAA Security Compliance as larger plans took last year.

Small Health Plans Defined: For HIPAA purposes, plans that paid premiums or claims of $5 million or less in the most recent plan year. In addition to the Privacy Rules, HIPAA imposes rules for maintaining the security of Protected Health Information (PHI) that is kept in electronic format.

The HIPAA Security Rules apply only to electronic Protected Health Information (e-PHI). This includes information stored in or received or sent by a computer, phone voice response, or fax-back systems. The security rules require covered health plans to implement administrative, physical, and technical safeguards in order to protect this information.

What should small employers do?

The below statement was made by CMS (Centers for Medicaid and Medicare Services) to help clarify the roles of group health plan sponsors in complying with HIPAA's security rules.

"The employer must go through the risk analysis required by the HIPAA Security Rules to determine if any of their computer systems contain any electronic Protected Health Information (e-PHI). Assuming no e- PHI was discovered during the analysis, based on the flexible standards of the HIPAA security rules, there would not be much for the employer to do."

The first step the plans should take is to appoint a HIPAA security officer. While this must be a single individual, it may be the same person as the HIPAA privacy officer. The group health plan sponsor should then determine if it maintains any electronic Protected Health Information. If no e-PHI is discovered, the plan's HIPAA compliance documents should be updated to reflect that fact. If e-PHI is discovered, the plan must then comply with all of the standards set under HIPAA's security rule.

Below is a link to a checklist for HIPAA Security Rules put together by CobraAid.
http://www.hipaa-aid.com/documents/HIPAASecurityRulesChecklist.pdf

posted by Mike @ 12:15 AM

0 Comments:

Post a Comment

<< Home