Final security rule includes "addressable" specifications
HIPAA Weekly Advisor, March 28, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
The final security rule introduces organizations to the term "addressable." The regulations create a distinction between the underlying required implementation specifications and addressable specifications.
"Addressable" specifications allow organizations to determine that an implementation specification really isn't reasonable for it and think of a comparable alternative. If there isn't a reasonable alternative, the organization can eliminate the specification as long as it provides documentation and analysis, explains Kate Borten, CISSP, president of The Marblehead Group, in Marblehead, MA. "But all the implementation specifications allow latitude for flexibility and scalability anyway. There's already a huge debate on how to interpret the term."
One example of an addressable standard is the requirement for having a termination procedure. "They give as an example a doctor whose spouse is his only staff," says Borten. "To me, there is no rational explanation for not requiring this standard information security function so that a doctor should have a checklist of at least two or three points such as to disable his wife's user ID and give back the office keys."
It would have made more sense to say all the standards are required, but scalable and flexible, she says. "A small doctor's office and a huge multi-state organization are obviously going to have to implement things differently."
View everything as required, suggests William Miaoulis, CISA, principal at Phoenix Health Systems, in Montgomery Village, MD. "Then, you can make an argument for NOT doing something, instead of FOR doing something."
Go to http://www.hipaapro.com/news/hipaa_downloads.cfm to download a PDF of the final security rule from the February 20 Federal Register.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- HIPAA Q&A: Level of encryption needed for email
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Hospitals are not bound by InterQual criteria for determining patient status
- ED-to-inpatient transfers are flawed with safety gaps
- Searched