New URAC book dispels myths surrounding HIPAA security standards

Washington D.C. 05 November 2002URAC has published the HIPAA Handbook "What Your Organization Should Know About the Federal Security Rule", to help the industry cope with the uncertainty surrounding HIPAA data security regulation. This "must read" publication is an expanded update to the original HIPAA Handbook, and features explanations and strategies by the United States' leading experts for meeting the security requirements under HIPAA.


"The HIPAA Handbook is an indispensable guide for people developing security plans and risk assessment strategies", stated Lisa Gallagher, senior director, Exodus Healthcare Security Initiative and a contributing author to the HIPAA Handbook. "The analysis provides practical insights on what hurdles must be overcome to successfully implement the proposed HIPAA security standards and other important security practices that should be part of any risk management strategy."

The third in a trilogy of books published by URAC focusing on HIPAA, the Handbook offers a road map not only for regulatory compliance with the HIPAA Administrative Simplification provisions, but it also provides the information health care organisations need to comply with the licensure and accreditation standards that are being developed by states and accrediting bodies.

To aid small, medium, and large health care organisations apply the data security requirements, the reference book discusses how the regulation will apply to entities based on their size and complexity. This concept of "scalability" is one of the fundamental principles of the security requirements.

The book also dispels common myths surrounding the Security Rule, including:

  • Myth: The lack of a final HIPAA security regulation means that health care organisations do not have to provide data security for their patient data.
    Fact: The HIPAA Privacy Rule requires covered entities to provide data security for patient data.
  • Myth: The lack of a final security rule means that health care organisations will not have to provide data security for the electronic transaction standards issued under HIPAA.
    Fact: The implementation guides that provide the core requirements for the Electronic Transaction Standards require those organisations that file claims and other related data on-line, to provide data security for the information to ensure data integrity and prevent hacking and other common e-commerce related threats.
  • Myth: Health care organisations do not have to worry about regulatory compliance in regard to data security because a final rule has not been issued, and even if one is issued soon, they will have 24 months to come into compliance.
    Fact: The deadline for complying with data security requirements is April 2003. That is when HHS will begin enforcing the HIPAA Privacy Rule. It is also the last month covered entities have to start testing their electronic transaction systems by sharing data with outside organisations.

"The health care industry has been waiting for years for the final HIPAA security standard to be published", stated Dennis Melamed, the lead editor and author of the HIPAA Handbook. "Nevertheless, regulators of all stripes believe that data security is good business practice, and health care entities should not wait for the regulation."

"In addition, health care organisations that want to obtain insurance to reduce the new risks created by the privacy regulation and the electronic transaction standards will need to address data security", added Mr. Melamed. "Insurers have made it abundantly clear that they will want to see how health care organisations are protecting patient and claims data before they will underwrite that risk."

URAC is a leader in the accreditation of health and managed care organisations. Founded in 1990, URAC currently offers 14 accreditation programmes that span a broad spectrum of health care services. URAC has issued over 2300 accreditation certificates to more than 500 health care programmes. URAC-accredited organisations do business in all 50 states, the District of Columbia, Puerto Rico, and Canada and provide services to more than 120 million people.

More URAC news is available in the VMW September 2002 article URAC to accredit first six disease management services companies and another 15 health Web sites. Interested parties can order the HIPAA Handbook "What Your Organization Should Know About the Federal Security Rule" for $65, or can order the trilogy of HIPAA books for $175 by visiting the URAC Web site.

Leslie Versweyveld

[Medical IT News][Calendar][Virtual Medical Worlds Community][News on Advanced IT]