The Center for Medicare & Medicaid Services is reminding physicians that under the Administrative Simplification Requirements of the Health Insurance Portability & Accountability Act of 1996 (HIPAA), the security standards compliance date is April 20, 2005. Providers have a responsibility to ensure that the necessary changes to comply with the HIPAA security standards are made. The security standards are scalable and technology-neutral. This means that covered entities should take into account their size, complexity, capabilities and potential risks to their electronic protected health information when complying with the standards. The standards do not specify any particular technology. In other words, they outline what must be done – not how to do it. The security standards require covered entities to implement safeguards within three categories: administrative safeguards – management of the selection and execution of security measures; physical safeguards – protections for electronic systems and related building and equipment from environmental hazards and unauthorized intrusion; technical safeguards – automated processes to protect data and control access to it. Physicians are obligated to have a procedure in place prior to April 20, 2005, that will ensure data is safeguarded every time they dispose of a computer or other device that might contain protected health information. Erasing data from a computer’s hard drive, or other electronic storage media such as a disk or tape, requires reformatting the disk or tape or using commercial disk-cleaning programs. Third-party companies who specialize in this service are available to physicians and their office staff, however, a HIPAA compliant business associate agreement must be in place prior to working with a company. HIPAA applies to any device that stores electronic protected health information, including desktop, laptop and handheld computers, backup disks, tapes or CDs as well as diagnostic equipment.