Home » Magazine Archives » June 2007
Security Technology Executive
Most Read
Most Emailed
E-mail Article
Print Article
HIPAA Compliance: Not Just a Healthcare Issue
The Latest from SIW
Mace to launch dealer program, acquire central station Basics of establishing an employee ID badging system The security week that was: 1/02/09 The top 40 security stories of 2008 Homemade bombs force evacuations in Aspen, Colo. Toronto wraps up municipal surveillance pilot project
The Health Information Privacy and Accountability Act (HIPAA) of 1996 sounds fairly straightforward when you read the title. The point is to improve the privacy of health information.
The healthcare sector has seen tremendous increase in security and privacy regulation, at both the federal and state level, due to HIPAA. In 2003, entities that maintain “protected health information” (PHI) were required to comply with the act's privacy rule. In 2005, the same entities were required to comply with its security rule.
The privacy rule is intended to tell us what data must be protected, regardless of format, and how it can and cannot be used by the organizations maintaining the data. This is not really a security regulation, since it only tells us what data is defined as “protected” and what we can do with it. It is, however, important to security professionals because it tells us what we must protect and what we are allowed to do with the data.
The security rule spends less time describing covered entities and business associates (the organizations to which the rule applies) and more time providing requirements for protecting PHI. Unlike the other HIPAA rules, the security rule only applies to electronic PHI.
The security rule outlines both mandatory and addressable requirements. A covered entity can choose not to implement an addressable requirement, but must document why the choice was made and what alternate controls are in place to protect the ePHI. Encryption of ePHI “at rest,” for example, is addressable. If you have appropriate alternate controls in place, you can get away with not encrypting your databases and still comply with the rule. If you think this sounds like risk management, you are correct.
The vagueness of the rules has led to the rise of consulting firms that claim to be “HIPAA experts,” and regulations that are supposed to help you implement the rules. The U.S. Department of Health and Human Services and the National Institute of Standards and Technology (NIST), as well as many other organizations, have published regulations, guidelines and white papers on the topic. But they do not fully agree on the appropriate steps to compliance.
This is tough enough to deal with if you work within healthcare, the industry for which HIPAA was created. At least there, you can draw upon a pool of people who have implemented the requirements or were involved in crafting the rules. Unfortunately, a significant number of organizations outside healthcare are subject to the security and/or privacy rules and may not realize it.
