Full Text

The Health Insurance Reform: Security Standards (45 CFR parts 160, 162 and 164) establishes standards for the security of electronic Protected Health Information (ePHI) to be implemented by health plans, healthcare clearinghouses, and certain healthcare providers.1 The security standard implements some of the requirements of the Administrative Simplification subtitle in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These security rules became effective April 21, 2003, and compliance was expected by April 21, 2005. Are you compliant? Have you even started your compliance efforts?

Some of us may be assuming these standards only apply to our enterprise clinical data systems; therefore clinical engineering is not affected-that's IT's problem. If you are in that category let me share this statement from the security standards: "Covered entities must ensure the confidentiality, integrity, and availability of all ePHI the covered entity creates, receives, maintains, or transmits."1

With the constant integration of information technologies into traditional biomedical devices, many of them now possess all four of the above attributes. Unless you have passed on all support responsibilities for medical equipment to your IT personnel, you are affected.

In this article, we will discuss the preliminary steps necessary to begin integrating the HIPAA security standards into your clinical engineering program. Getting started on any project of this size and complexity requires commitment throughout the organization to ensure success.

Step 1: Knowledge is King

The security standards are broad in scope, yet very detailed in their compliance requirements. Acquiring a knowledgeable understanding of the security standards will help demystify the task ahead. Several valuable sources of information, implementation strategies, and tools are available to help get you started.2

Step 2: Get Involved

Your IT department has probably already started addressing the enterprise data systems, and will soon (if not already) be approaching you to integrate your information and strategies with theirs. This multi-disciplinary effort should be coordinated in the overall security management program overseen by the institution's designated security...