Washington Technology reports that the National Institute of Standards and Technology (NIST) has published a guide for meeting HIPAA security standards, set to go into effect April 21, 2005. Given the brief period before the law goes into effect, one would think this guide would be of little use. However, this study reports that as of a couple of months ago:

Nine percent of hospitals with 400 or more beds reported compliance with the security rule, compared with 18 percent of hospitals with less than 400 beds.

Most folks think of this as just an IT concern -- it is not.  The law refers to "electronic protected health information" (EPHI), i.e., patient identifiable data of any kind.  This extends beyond Social Security or credit card numbers and lab results to include physiological parameters, vital signs and waveforms. Interestingly, while they define EPHI, the NIST resource guide does not mention "medical devices" once. You can read more about medical device security here.

You can download the 137 page Resource Guide here.

UPDATE: The Centers for Medicare and Medicaid Services published HIPAA enforcement procedures in the Federal Register last Friday. Details on how to file a complaint and the process that CMS will use to pursue a complaint are detailed.  These procedures apply to the Security and Transaction and Code Set  provisions and not the privacy portion of HIPAA, which is covered under separate procedures established and managed by the Office for Civil Rights.

The Department of Health and Human Services (HHS) has released the third of seven planned guidance papers on the Security provisions. You can get the latest HIPAA guidance and enforcement info here.