The final rules for securing electronic health-care information were entered into the Federal Register last week and will take effect on April 21. They require health-care companies to develop, implement, and document the measures they take under the Health Insurance Portability and Accountability Act to ensure that health information remains secure. Large health-care organizations will have until April 2005 to comply, while smaller ones must comply by April 2006.
Security experts warn a lack of specifics may cause confusion. "This is going to be a free-for-all for a long time," says Pete Lindstrom, research director at Spire Security.
But for companies already on top of their security efforts, the new rules shouldn't be a burden. Says Bruce Peck, information security manager at St. Vincent Hospitals and Health Care Center: "This outlines what we were already doing."