The final HIPAA security rule issued Thursday removes the lengthy appendix found in the 2000 proposal that spells out technology requirements for compliance with the regulations.
"A lot of this is policy and procedure and not technology," says Dan Rode, vice president for policy and government relations for the American Health Information Management Association, a trade association for medical coders.
"That makes sense," Rode says. "It gives more flexibility" to healthcare organizations.
What CMS essentially has done, according to Rode, is acknowledge that technology keeps changing by listing requirements but not processes.
The actual rule takes up only the final 44 of the total 289 pages in the version released to the public this week; the bulk of the text is devoted to responding to the 2,350 public comments CMS received on the earlier proposal.
The security rule, along with modifications to the HIPAA regulations on transactions and code sets, are to be published in the Federal Register Feb. 20.
The security standards are effective on or about April 21, but most covered entities will have two full years--until April 21, 2005--to comply with the standards. Small health plans will have an additional year to comply.
Modifications to the standards for transactions and code sets affect health plans, certain healthcare providers and healthcare clearinghouses, which must comply by Oct. 16. However, Rode says CMS does not specify in the transaction amendment how it will deal with the estimated 1.5 million covered entities that did not apply for a one-year extension to comply with the rules by the Oct. 15, 2002 deadline.
"There's no surprises in these modifications," Rode says. "Probably the biggest surprise is that they finally got them out."