Guidelines for HIPAA compliance in the works

Computerworld - Health care organizations looking for more information on how to comply with HIPAA security mandates may soon get more help.
URAC, a nonprofit accreditation agency for the health care industry, along with the Workgroup for Electronic Data Interchange and the National Institute of Standards and Technology, is developing guidelines for implementing HIPAA security policies.
The Healthcare Security Workgroup, which the three organizations created earlier this year, met in Washington last week to discuss how to consolidate industry best practices and security standards into a set of easily implemented instructions. The goal is to give organizations subject to the Health Insurance Portability and Accountability Act something they can use to ensure compliance with the law's security requirements by the April 15, 2005, deadline, said Adam Stone, a member of the workgroup. The group aims to deliver the guidelines by the middle of next year.
"No standard measures exist in the health care industry" to implement HIPAA's security requirements, Stone said. "One of the major problems with the rule is that it is so broad. There are a million different ways to approach it in terms of compliance."
The workgroup will study how it can adopt and adapt NIST's more general security specifications for federal information systems in the health care sector, said Lisa Gallagher, senior vice president of Washington-based URAC. Similarly, the workgroup will gather information on best practices, case studies and other standards efforts by organizations such as the Healthcare Information and Management Systems Society.
"We are going to gather all this information and make it available on a national basis," Gallagher said, by means of white papers and a portal site.
The community feedback that's being collected by the workgroup is also useful in adapting NIST standards for the health care industry, said Arnold Johnson, a NIST program manager in Washington.
"Real standards are very, very [much] needed," said Roger Brown, a senior IT auditor at Jefferson Health System, a $2 billion health care organization in Radnor, Pa. "Only the economically strong [companies] will comply with the intent of the law. Most will spend the absolute minimum they think they can get away with." Standards will provide a formal yardstick for measuring compliance, he said.

HIPAA HIPAA Hooray

The Healthcare Security Workgroup's objectives are to: BRING TOGETHER key stakeholders from the public and private sectors to facilitate communication and consensus on best practices for information security in health care. PROMOTE the implementation of a uniform approach to security practices and assessments. Source: URAC, Washington