"The HIPAA Handbook is an indispensable guide for people developing security plans and risk assessment strategies", stated Lisa Gallagher, senior director, Exodus Healthcare Security Initiative and a contributing author to the HIPAA Handbook. "The analysis provides practical insights on what hurdles must be overcome to successfully implement the proposed HIPAA security standards and other important security practices that should be part of any risk management strategy."
The third in a trilogy of books published by URAC focusing on HIPAA, the Handbook offers a road map not only for regulatory compliance with the HIPAA Administrative Simplification provisions, but it also provides the information health care organisations need to comply with the licensure and accreditation standards that are being developed by states and accrediting bodies.
To aid small, medium, and large health care organisations apply the data security requirements, the reference book discusses how the regulation will apply to entities based on their size and complexity. This concept of "scalability" is one of the fundamental principles of the security requirements.
The book also dispels common myths surrounding the Security Rule, including:
Myth: The lack of a final HIPAA security regulation means that health care organisations do not have to provide data security for their patient data.
Fact: The HIPAA Privacy Rule requires covered entities to provide data security for patient data.
Myth: The lack of a final security rule means that health care organisations will not have to provide data security for the electronic transaction standards issued under HIPAA.
Fact: The implementation guides that provide the core requirements for the Electronic Transaction Standards require those organisations that file claims and other related data on-line, to provide data security for the information to ensure data integrity and prevent hacking and other common e-commerce related threats.
Myth: Health care organisations do not have to worry about regulatory compliance in regard to data security because a final rule has not been issued, and even if one is issued soon, they will have 24 months to come into compliance.
Fact: The deadline for complying with data security requirements is April 2003. That is when HHS will begin enforcing the HIPAA Privacy Rule. It is also the last month covered entities have to start testing their electronic transaction systems by sharing data with outside organisations.