|
The
Final HIPAA Security Rule & Transaction Modifications Rule
February
13, 2003
- HHS Adopts Final Security & Transaction Modifications Rules
- HHS Secretary Tommy G. Thompson today announced the adoption of the
Security and Transaction Modifications Final Rules. February
20, 2003
- The Final Security Rule Is Published In The Federal Register.
The effective date is
established as April 21, 2003. Most covered entities will have two
full years -- until April 21, 2005 -- to comply with the standards;
small health plans will have an additional year to comply, as HIPAA
requires. As
with the Final HIPAA Regulation, this paper contains a significant
amount of reading material. Even
though it is lengthy, it addresses only Contingency Planning, a small
part of the regulation. However, if you have never been challenged to do a
contingency plan, the potentially time consuming process can be
overwhelming. It is my hope that when you set this document down, that
you will understand the concepts, feel that you can do it, and then
start the process. It is also my hope that you use your recovery plan not just
to reach compliance, but that you embrace the process so that you are
truly ready should a disaster occur.
With that aside, lets get started and review the final
regulation that addresses the contingency plan requirement: Final
Security & Transaction Modifications Rules Administrative
Safeguards – 164.308 164.308.a7(i)
Standard:
Contingency plan. Establish (and implement as needed) policies and
procedures for responding to an emergency or other occurrence (for
example, fire, vandalism, system failure, and natural disaster) that
damages systems that contain electronic protected health information. 164.308.a7(ii)
Implementation specifications: (A)
Data backup plan (Required). Establish and implement procedures
to create and maintain
retrievable exact copies of electronic protected health information. (B)
Disaster recovery plan (Required). Establish (and implement as
needed) procedures to restore any loss of data. (C)
Emergency mode operation plan (Required). Establish (and
implement as needed) procedures to enable continuation of critical
business processes for protection of the security of electronic
protected health information while operating in emergency mode. (D)
Testing and revision procedures (Addressable). Implement
procedures for periodic testing and revision of contingency plans. (E)
Applications and data criticality analysis (Addressable).
Assess the relative criticality of specific applications and data in
support of other contingency plan components. The above section identifies the five (5) “Implementation Specifications”, “required or addressable”, to become “compliant” with the HIPAA Contingency Plan Requirement. It is my objective to walk you through a straightforward seven-step process that you will need to follow to reach the required HIPAA compliance level. We’ll first start with the concept of Contingency Planning and explain the general concept. Next, we’ll cover each of the seven steps, why each is important and how each relates to a HIPAA Contingency Implementation Specifications. CONTINGENCY
PLANNING is both disaster avoidance, and disaster readiness.
It starts with identification of risk and the subsequent
elimination if possible. Then
comes the identification of critical business units and the
requirements for each of those units to function. Next, details on response, resumption and recovery are
systematically documented in a recovery plan.
And finally, the recovery plan is tested and adjustments are
made. In an emergency,
the process facilitates “
coordinated team efforts to restore an organization’s
critical business functions by systematically following predetermined
and documented actions triggered by a significant and unanticipated
event that results in an interruption in services ”.
|
