If you've been or catching up from hiding under a rock and getting back out from under after the holidays, there's a new HIPAA Security Rule out for review.
Printed out, the newly proposed HIPAA Security Rule is about 465 pages, of which 121 are footnotes, and 38 pages are actual regulatory text, leaving 306 pages of prefatory/explanatory/justification material in front matter. I'll skip to the rules in my first read through.
And then we get to Subpart C, which is the remainder of the HIPAA proposed rule changes.
First, the definitions get an update ...
Definitions were added for the following key terms:
- Deploy
- Implement
- Multifactor authentication
- Risk
- Technical Controls
- Vulnerability
Some definitions were clarified, but not really functionally changed from the perspective of a reasonably educated person.
- Administrative safeguards
- Information System
- Password
- Physical Safeguards
- Security or Security Measures
- Security Incident
- Workstation
With respect to "Reasonably educated", that includes neither lawyers nor regulatory pedants. Both are over-educated and so might actually care about the improved text in HIPAA
Finally, three definitions were somewhat changed in HIPAA:
Access: Add delete, transmit, substitute "component of an information system" for "system resource"
Malicious software: Now includes "firmware" with more description of the intent or impact of the software.
Technical Safeguards: Clarified and included technical controls as a type of safeguard.
§ 164.306 Security standards
General rules is revised a bit, but mostly unchanged EXCEPT:
- (b)(2)(v) is added to require consideration effectiveness of the measure AND
- (c) requires both standards & implementation specifications and (d) drops [THIS IS A BIG CHANGE].
§ 164.308 Administrative safeguards
is very little like its predecessor, although I imagine it includes all of the requirements of that, plus a lot more. I'm going to do a deeper review of the changes to HIPAA 45 CFR 164.308 later.
§ 164.310 Physical Safeguards
Mostly the same, ADDED annual maintenance requirement to each standard whereby you must review & test policies & procedures at least annually.
And implementation specs for workstation use & technology assets (a.k.a., devices)
§ 164.312 Technical Safeguards
adds a lot of new content and is going to require deeper analysis.
§ 164.314 Organizational requirements
I would say this is largely unchanged except the new requirement that any time an organization activates its contingency plan it must notify the organization or group health plan it has a BAA with w/in 24 hours.
§ 164.316 Documentation requirements
is largely unchanged but somewhat restructured. The maintenance of documentation is strengthened from as needed to at least annually.
§ 164.318 Transition
was previously about Compliance deadlines & remains so, but in proposed rule, the text gets more convoluted and has to do with existing renewals and deeming compliance based on existing contracts. Get your lawyers to explain it, I'm not gonna.
§ HIPAA 164.320 Severability
adds a clause that basically says:
If anything here is invalid or unenforceable, etc... it shall be interpreted to give the maximum effect & if necessary will be held separate so as to not affect anything else we said you gotta do.
That's the end for now on my read of changes in HIPAA. There will be more as I must do deeper analysis on 308 and 312.
0 comments:
Post a Comment