1. 2003;6;377-381And You Thought You Were Done With HIPAA: Complying With The New Security Rule
   A Practice Management
   Erin Brisbay McMahon, JD.

On February 20, 2003, the Department of Health and Human Services (HHS), pursuant to its authority under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), issued the final rule on Security Standards for electronic protected health information (PHI). The rule addresses the duties of providers who conduct electronic transactions covered under the HIPAA transactions and code sets rule to address the security issues surrounding the storage and transmission of electronic PHI.

Providers who are required to comply with the security rule must do so by April 20, 2005. While this may seem like a long time, the compliance requirements are lengthy and burdensome, so providers would be well advised to start compliance efforts now. Appointing a security officer and beginning a risk analysis should be the first priorities of any practice. While the security officer will be integral in a practice’s compliance, it is ultimately the burden of the practice to ensure compliance with the rule.

Penalties for non-compliance are stiff: civil money penalties of up to a $100 fine for every violation of each requirement or prohibition, capped at $25,000 per year for all violations of an identical requirement or prohibition. Criminal penalties must be imposed if a person knowingly and in violation of the security rule: obtains individually identifiable health information relating to an individual or discloses individually identifiable information to another person.

This article is not, and should not be construed as, legal advice or an opinion on specific situations.

Keywords: HIPAA, security standards, required, addressable