CMS issues new HIPAA security guidance

The Center for Medicare and Medicaid Services (CMS) has issued new guidance on the HIPAA (Health Insurance Portability Accountability Act) security rule stating that health care providers, plans and clearinghouses are not required to certify compliance with the rules provisions. Instead, CMS said they must perform regular evaluations to test which technological and non-technological security policies and procedures meet the rule's requirements.

These evaluations can be performed by the covered entity or by an external organization that provides evaluations or certification services, according to CMS. However, certification by an outside organization does not prevent Department of Health and Human Services (HHS) from finding a security violation.

The security mandate, which takes effect April 21, 2005, requires physicians and covered entities to protect the confidentiality and availability of patient data that is either stored in an information system or transmitted electronically. Covered entities must conduct a risk analysis, which requires physicians to examine their information systems and determine any security risks. The rule also requires covered entities to appoint a chief security officer and to periodically instruct staff on security policies and procedures. Offices also must create a contingency plan in the event that information systems are destroyed.

Around the web

Richard Heller III, MD, RSNA board member and senior VP of policy at Radiology Partners, offers an overview of policies in Congress that are directly impacting imaging.
 

The two companies aim to improve patient access to high-quality MRI scans by combining their artificial intelligence capabilities.

Positron, a New York-based nuclear imaging company, will now provide Upbeat Cardiology Solutions with advanced PET/CT systems and services.