CMS provides educational papers on HIPAA Security Rule

July 28, 2005

The April 20 deadline for the Health Insurance Portability and Accountability Act Security Rule has come and gone. But for radiology departments still struggling to meet compliance, the Centers for Medicare and Medicaid Services has published three more educational papers to demystify the rule.

The April 20 deadline for the Health Insurance Portability and Accountability Act Security Rule has come and gone. But for radiology departments still struggling to meet compliance, the Centers for Medicare and Medicaid Services has published three more educational papers to demystify the rule.

"This is our attempt to provide guidance for covered entities. Our focus regarding HIPAA enforcement is to always go for voluntary compliance," said Karen Trudel, deputy director of the Office of E-Health Standards and Services at CMS.

The three papers released in June join two others previously published by CMS. The organization plans to release two more educational papers covering security topics, for a total of seven:

  • Security 101 for Covered Entities

  • Security Standards: Physical Safeguards

  • Security Standards: Administrative Safeguards

  • Security Standards: Technical Safeguards

  • Security Standards: Organizational, Policies & Procedures, and Documentation Requirements

  • Basics of Risk Analysis & Risk Management

  • Implementation for the Small Provider

While CMS doesn't have a publication date yet for the small provider paper, the risk analysis paper is well through the review process and should be published shortly, Trudel said.

In general, feedback at conferences and roundtable discussions on the papers has been positive, according to CMS security specialist Brad Peska.

"There has been value in the papers, especially for smaller providers trying to get a better handle on the topic," he said.

For links to PDF files of the educational series, users can visit the HIPAA Web site and navigate to the page devoted to Security Rule education. HIPAA's main Web site also has links to FAQs, additional educational materials, and a schedule for roundtable discussions on the topic.

"We're trying to demystify security," Trudel said. "People think that security is a complex technological area. They think they will be overwhelmed by the need for consultants, new equipment, and technical expertise. We're trying to get across the fact that a lot of security is common sense."