HIPAA Security Rule hits another pothole

Publication of HIPAA's Security Rule, promised at the end of December, has been delayed again. But Privacy Rule compliance still looms this spring.

The Federal Register of Friday, Dec. 27, 2002, made no mention of the final security rule nor the transactions modifications due to be published on that date. The Rule had previously been promised December 2001, then February 2002, then August 2002. The rule is now expected to be published in February 2003.

The Department of Health and Human Services did not publish the rules on Dec. 27 as expected, nor did it explain the latest delay.

"Managing expectations is a required skill for HIPAA implementations," said Jim Bloedau, president of Information Advantage Group, a San Francisco e-healthcare consulting firm.

As of Jan. 13, the Security Rule had been handed off to the Office of Management and Budget, the White House panel that reviews federal regulations for budgetary impact.

OMB usually takes two weeks to 90 days to turn around a regulation. OMB anticipates publishing the final rule, along with any modifications to the Transactions and Code Set Standards, in February, according to Tracy Field, an attorney specializing in HIPAA issues at Arnall Golden Gregory in Atlanta.

Once the Security Rule is published, covered entities will have two years to comply with the security regulations. Small health plans will be given an additional 12 months to comply, said Kris Hughes, an attorney with SG&A Consulting.

The Security Rule addresses issues such as encryption of e-mail, firewalls, and password integrity.

"The Security Rule is more technical in terms of how you keep locks on your doors and how you make sure that only authorized people are in your building," Field said.

The Privacy Rule deals with issues inside the walls. Now that you have authorized people in the building, how do you ensure they're communicating appropriately.

"The distinction is artificial," Field said. "I'm not sure it holds water. How can you ensure privacy without security? You can't, yet these rules are on totally different tracks."

Privacy Rule compliance deadline is still April of this year.

The disparity can be frustrating for providers preparing to comply with the Privacy Rule, especially those considering revamping the way they transmit electronic data, Field said.

"How do you do that if you don't know what the security requirements are going to be?" Field said.