Volume 2 / Paper 2 1 5/2005: rev. 3/2007
Security
SERIES
Compliance Deadlines
No later than April 20, 2005 for
all covered entities except small
health plans, which have until
no later than April 20, 2006.
NOTE: To download the first paper
in this series, “Security 101 for
Covered Entities,” visit the CMS
website at:
www.cms.hhs.gov/SecurityStandard/
under the “Regulation” page.
What is the Security Series?
The security series of papers will provide guidance from the Centers for
Medicare & Medicaid Services (CMS) on the rule titled “Security Standards
for the Protection of Electronic Protected Health Information,” found at 45
CFR Part 160 and Part 164, Subparts A and C, commonly known as the
Security Rule. The Security Rule was adopted to implement provisions of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA). The
series will contain seven papers, each focused on a specific topic related to
the Security Rule. The papers, which cover the topics listed to the left, are
designed to give HIPAA covered entities
insight into the Security Rule and
assistance with implementation of the
security standards. This series explains
specific requirements, the thought process
behind those requirements, and possible
ways to address the provisions.
CMS recommends that covered entities read the first paper in this series,
“Security 101 for Covered Entities” before reading the other papers. The first
paper clarifies important Security Rule concepts that will help covered
entities as they plan for implementation. This second paper in the series is
devoted to the standards for
Administrative Safeguards and their
implementation specifications and
assumes the reader has a basic
understanding of the Security Rule.
Background
An important step in protecting electronic protected health information
(EPHI) is to implement reasonable and appropriate administrative safeguards
that establish the foundation for a covered entity’s security program. The
Administrative Safeguards standards in the Security Rule, at § 164.308, were
developed to accomplish this purpose.
Security Standards: Administrative Safeguards
Security
Topics
5.
Security Standards
- Organizational,
Policies &
Procedures, and
Documentation
Requirements
4.
Security Standards
- Technical
Safeguards
3.
Security Standards
- Physical
Safeguards
1.
Security 101 for
Covered Entities
6.
Basics of Risk
Analysis and Risk
Management
7.
Implementation for
the Small Provider
2.
Security
Standards
- Administrative
Safeguards
5.
Security Standards
- Organizational,
Policies and
Procedures and
Documentation
Requirements