The Center for Medicare and Medicaid Services (CMS) has issued new guidance on the HIPAA (Health Insurance Portability Accountability Act) security rule stating that health care providers, plans and clearinghouses are not required to certify compliance with the rules provisions. Instead, CMS said they must perform regular evaluations to test which technological and non-technological security policies and procedures meet the rule's requirements.

These evaluations can be performed by the covered entity or by an external organization that provides evaluations or certification services, according to CMS. However, certification by an outside organization does not prevent Department of Health and Human Services (HHS) from finding a security violation.

The security mandate, which takes effect April 21, 2005, requires physicians and covered entities to protect the confidentiality and availability of patient data that is either stored in an information system or transmitted electronically. Covered entities must conduct a risk analysis, which requires physicians to examine their information systems and determine any security risks. The rule also requires covered entities to appoint a chief security officer and to periodically instruct staff on security policies and procedures. Offices also must create a contingency plan in the event that information systems are destroyed.