Security StandardsThe HIPAA Security Standards must be applied by health plans, health care clearinghouses, and health care providers to all health information that is maintained or transmitted electronically. The standards are intended to protect both the system and the information it contains from unauthorized access and misuse. Each covered entity must assess its systems for potential risk and vulnerabilities to the health information it houses and develop, implement, and maintain appropriate security measures. The security requirements include:
- Administrative procedures - security measures to protect data and manage the conduct of personnel in protecting data
- Physical safeguards - protection of physical computer systems and related buildings from hazards and intrusion
- Technical security services - processes to protect, control, and monitor information access
- Technical security mechanisms - processes to prevent unauthorized access to data transmitted over a communications network
The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. Compliance is required by April 21, 2005.
- The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Title II) required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technial, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
More information can be found for the implementation of this rule at the CMS website .
- IHS Security Standards Checklist [PDF-41KB]
The IHS effort to comply with the HIPAA Security Standards is being led by Ryan Wilson, the Chief Information Security Officer or designee. If you want information on what the CISO is doing, he can be reached by telephone at 301-443-2537.
IHS Information Security Status
There is a great deal of cross over between The Federal Information Security Act (FISMA) which applies to Federal programs and the security requirements for HIPAA. The attached matrix [PDF 1MB] demonstrates the areas of crossover. The Indian Health Service has been working to comply with FISMA for several years and by doing this IHS has meet most of the HIPAA security standards. Information on the IHS Information Security Program can be found at the IHS Security Program WEB site. The attached manual [PDF 1.5MB] provides guidelines for navigating IHS Security Program WEB pages. For security reasons this security WEB site is only available to users of the IHS Intranet.IHS Chief Information Security Officer Guidance for Meeting HIPAA Security Standards.