HR Management & Compliance

Employment Law Tip: Have You Met the HIPAA Security Rules Deadline?

Last year, large health plans (those with receipts of at least $5 million) had to come into compliance with new electronic security rules mandated by HIPAA, the Health Insurance Portability and Accountability Act. The rules are a corollary to the HIPAA privacy requirements for individual protected health information (PHI) and specify a series of administrative, technical, and physical security procedures that covered entities must implement to ensure the confidentiality, integrity, and availability of PHI in electronic format.


400+ pages of state-specific, easy-read reference materials at your fingertips—fully updated! Check out the Guide to Employment Law for California Employers and get up to speed on everything you need to know.


Come April 20, 2006, small health plans—those with claims and/or premiums of less than $5 million—will also have to comply with these security rules. But note that employer-administered plans with fewer than 50 eligible participants are exempt.

If you sponsor a small plan, make sure you’re in compliance now. Here are some of the key compliance action items:

  • Identify a security official within your organization who will be responsible for developing, maintaining, and enforcing required policies and procedures regarding electronic PHI
  • Conduct a risk analysis
  • Adopt appropriate safeguards to protect electronic PHI
  • Develop policies and procedures to ensure that all members of your workforce have appropriate access to electronic PHI and to prevent giving access to those workforce members who don’t need it
  • Train employees who handle electronic PHI
  • Implement procedures on how to respond to security incidents
  • Adopt a sanctions policy
  • Implement policies and procedures for responding to an emergency or other occurrence that damages systems that contain electronic PHI
  • Update contracts with business associates to ensure compliance with the security rules