After months of delays, HHS last month released a pared-down final rule for security of electronically transmitted protected health information, giving healthcare organizations greater flexibility than previously proposed for meeting the requirements.
The HIPAA security regulations are effective April 21, but most covered entities will have two full years--until April 21, 2005--to comply with the standards. Small health plans will have an additional year to meet the standards.
The rule contains just 13 mandates, down from the 69 specified in the 2000 proposal, and focuses on risk mitigation. It also removes the lengthy appendix found in the proposal that spells out technology requirements for compliance with the regulations.
HHS instead breaks provisions into two categories: requirements and "addressable" issues-a move characterized as a "huge change" by Robert Tennant, Washington D.C.-based government relations manager for the Medical Group Management Association, Englewood, Colo.
"What we like, in particular, is that practices can use cost to determine their implementation strategies and solutions," Tennant says.
On the so-called "addressable" points, HHS asks healthcare entities to assess their own susceptibility to security breaches and tailor compliance efforts to their particular risk level.
"The degree of response is determined by the risks identified," the rule says. "This approach will provide flexibility for all entities, especially small entities that would be most concerned about the cost and complexity of the security standards."
This approach takes some pressure off small medical practices, according to Andrew Melczer, co-chairman of the security and privacy committee for the Strategic National Implementation Process, a HIPAA implementation cooperative. Melczer is vice president for health policy research at the Illinois State Medical Society.
"Like the privacy rule, it's scaleable," Melczer says. "The bigger you are, the more you have to do."
HHS concurrently issued modifications to the existing rules on transactions and code sets for electronic data interchange. The changes permit healthcare providers to send nonretail pharmacy transactions according to the Healthcare Common Procedure Coding System rather than forcing them to adopt the National Drug Codes favored by retail pharmacies.