"The HIPAA Compliance Guide will help healthcare organizations identify and address information security issues," says James P. Keller, M.S., director of ECRI’s Health Devices Group. "The Guide provides valuable tools and resources to use with a security program, including downloadable forms, customizable worksheets, checklists for inventorying and analyzing risks, tools for setting priorities and implementing a mitigation plan, and much more."

Compromises to the security of information stored in biomedical devices and systems can seriously affect patient health and may be life threatening. ECRI and ACCE developed the HIPAA Compliance Guide to assist healthcare provider organizations in starting an ongoing process for the management of biomedical technology that continues well after the Security Rule’s deadline.

"Time is running out for organizations to comply with the security requirements of HIPAA" says Stephen L. Grimes, FACCE, chair of the ACCE HIPAA Task Force. "This Guide can help organizations save precious time and money because a majority of the hard work has already been done and is included on the CD-ROM. The CD-ROM contains an extensive overview of the HIPAA Security Rule, reviews necessary compliance measures for medical technology, and provides recommendations on implementing the rules with specific medical-technology-related examples."

Information Security for Biomedical Technology: A HIPAA Compliance Guide is available for $695. ACCE members and members of ECRI’s SELECTplus™, Health Devices System, Health Devices Gold, and Healthcare Risk Control (HRC) System members can purchase the Guide for the discounted price of $495. An order form can be downloaded from ECRI’s Web site at www.ecri.org or below.

The final rule adopting standards to protect the security of electronic health information was issued by the U.S. Department of Health and Human Services on February 20, 2003, under the Health Insurance Portability and Accountability Act of 1996. The Security Rule applies to covered entities that create, receive, maintain, or transmit protected health information in any electronic form, including digital imaging modalities, and other medical devices that store or transmit health information.

HIPAA’s Security Rule requires entities to implement administrative, physical, and technical safeguards to ensure the integrity, confidentiality, and availability of protected information. Covered entities must conduct a risk analysis, assign security responsibility, and implement a security plan that includes device and media controls. They must also implement security incident report procedures, ensure security awareness, and provide training. In addition, covered entities must develop a policy to place sanctions on staff who violate security rules.

For general information, contact:
      Kristy Kline
      +1 (610) 825-6000, ext. 5416
      kpkline@ecri.org