November 2004

November 2004 In Depth, "Protecting the 'CIA' of Electronic Health Data: Employers' Role in HIPAA Security Compliance"

Employers that sponsor health plans must soon face a new compliance challenge associated with the Health Insurance Portability and Accountability Act (HIPAA): the security rules. These rules require group health plans and other "covered entities" to protect the confidentiality, integrity and availability (CIA) of electronic protected health information (ePHI) that they create, receive, maintain or transmit, either internally or to external entities (e.g., health care providers, insurance carriers and third party administrators). HIPAA's security and privacy rules are interconnected. However, the security rules are limited to ePHI, rather than to any form of PHI (i.e., verbal, paper or electronic), which is covered by the privacy rules.

Although the security rules do not generally take effect until April 21, 2005, employers should begin taking the necessary steps to comply. This In Depth reviews employers' role in HIPAA security compliance.

The In Depth includes a detailed table that outlines the standards and implementation specifications that apply to health plans for the administrative, technical and physical safeguards.

Download the full publication as a PDF