Finalized HIPAA security rule makes its long-awaited debut

Although this version is a big improvement over the earlier rule, compliance is still no easy task for doctors.

By Joel B. Finkelstein, AMNews staff. March 17, 2003.

Washington -- A final rule regulating security for electronic patient records clarifies many of the requirements for upgrading computer systems, but it doesn't remove all doubts.

Only time can tell what measures the government will find adequate for compliance with the rule, mandated as part of the Health Insurance Portability and Accountability Act of 1996.

Experts advised physicians to wait for the government and industry groups to produce guidance materials before trying to implement new policies or systems to safeguard electronic medical records.

Doctors have some time, as the rules do not become effective until April 2005. However, considering the complexity of transitions to new computer systems and software, they may not want to wait too long.

"As much as possible, institute commonsense security measures" for now, said Robert Tennant, senior policy adviser for the Medical Group Management Assn. But doctors should wait for the industry to set standards before dropping a bundle on consultants who can evaluate their systems and recommend upgrades.

"At this point, nobody really knows what the government is going to expect," he said.

Doctors' practices, which are nearing the April 14 deadline to implement HIPAA-mandated privacy measures, should also take into account the overlapping aspects of the privacy and security rules.

The privacy rule mainly addresses physical safeguards and protecting patient information in paper documents, while the security rule addresses solely electronic information. Doctors should evaluate their compliance with both rules on an ongoing basis, experts noted.