The deadline of April 20 is set by HIPAA (Health Insurance Portability and Accountability Act) and covers all but the smallest of health plans.
Although some small payers and providers are still scrambling to meet the deadline, most are well on their way to compliance, if not already there, said Chris Noell, vice president of business development at Solutionary Inc., which helps companies manage their security needs. "There hasn't been a last-minute rush; we were seeing as much demand six months ago as we are today," he said.
As companies move from implementing security policies to maintaining them, Noell advised firms to consider regulations like HIPAA, PCI (credit card security policies) and the Sarbanes-Oxley Act collectively rather than separately. "Doing these as one-offs is incredibly expensive," he said.
In general, health care payers and providers tend to focus on specific details while neglecting the big picture. For example, it's common for firms to over-invest in firewalls and anti-virus tools but lack a policy on what to do and whom to notify if something goes wrong.
For entities still worried about the specific requirements two weeks away, the following might help:
A week before the deadline—on April 13 at 2 p.m. ET—the Centers for Medicare & Medicaid Services will host a National HIPAA Security Roundtable conference call. The call in number is (877) 203-0044 and the identification number is 4587639.
The National Institute of Standards and Technology, a government group that makes security recommendations, has a 137-page "overview," Special Publication 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The Department of Health and Human Services has released papers with compliance advice. The latest describes physical safeguards; another is called "Security 101 for Covered Entities." These, plus other checklists and resources, are available here.
The American Hospital Association has also posted advice on becoming compliant with HIPAA rules.
Medical device manufacturers may want to use a standardized form provided by HIMSS that describes a device's security features, as well as what protected health information a device might receive or transmit. The form, called the MDS², or Manufacturer Disclosure Statement for Medical Device Security, is endorsed by The American College of Clinical Engineering, the National Electrical Manufacturers Association and ECRI (formerly the Emergency Care Research Institute).
Health Care 
