HHS Issues Security Rule Guidance
(August 13, 2004)

Covered entities under the HIPAA security rule are not required to certify compliance with the rule's provisions, according to new guidance from the Centers for Medicare and Medicaid Services. The security rule, however, requires covered entities to periodically perform evaluations to establish the extent to which technological and nontechnological security policies and procedures meet the requirements, according to the agency, which has enforcement jurisdiction over the rule.

"The evaluation can be performed internally by the covered entity," according to the guidance. "There are also external organizations that provide evaluations or certification services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that the Department of Health and Human Services does not endorse or otherwise recognize private organizations' certifications, and such certifications do not absolve covered entities of their legal obligations under the security rule. Moreover, performance of a certification by an external organization does not preclude HHS from subsequently finding a security violation."

The centers has published new guidance on 11 other areas of the security rule on the Frequently Asked Questions page of its HIPAA administrative simplification Web site, www.cms.hhs.gov/hipaa/hipaa2.

Among other areas, the guidance discusses:

  • The difference between "risk analysis" and "risk management,"
  • Whether access control requirements cover remote employees (Yes), and
  • If minimum operating system requirements are mandated for personal computers (No, with a caveat).

Posted to HIPAAcomply 8/13/04