The Health Information Privacy and Accountability Act (HIPAA) of 1996 sounds fairly straightforward when you read the title. The point is to improve the privacy of health information.
The healthcare sector has seen tremendous increase in security and privacy regulation, at both the federal and state level, due to HIPAA. In 2003, entities that maintain “protected health information” (PHI) were required to comply with the act's privacy rule. In 2005, the same entities were required to comply with its security rule.
The privacy rule is intended to tell us what data must be protected, regardless of format, and how it can and cannot be used by the organizations maintaining the data. This is not really a security regulation, since it only tells us what data is defined as “protected” and what we can do with it. It is, however, important to security professionals because it tells us what we must protect and what we are allowed to do with the data.
The security rule spends less time describing covered entities and business associates (the organizations to which the rule applies) and more time providing requirements for protecting PHI. Unlike the other HIPAA rules, the security rule only applies to electronic PHI.
The security rule outlines both mandatory and addressable requirements. A covered entity can choose not to implement an addressable requirement, but must document why the choice was made and what alternate controls are in place to protect the ePHI. Encryption of ePHI “at rest,” for example, is addressable. If you have appropriate alternate controls in place, you can get away with not encrypting your databases and still comply with the rule. If you think this sounds like risk management, you are correct.
The vagueness of the rules has led to the rise of consulting firms that claim to be “HIPAA experts,” and regulations that are supposed to help you implement the rules. The U.S. Department of Health and Human Services and the National Institute of Standards and Technology (NIST), as well as many other organizations, have published regulations, guidelines and white papers on the topic. But they do not fully agree on the appropriate steps to compliance.
This is tough enough to deal with if you work within healthcare, the industry for which HIPAA was created. At least there, you can draw upon a pool of people who have implemented the requirements or were involved in crafting the rules. Unfortunately, a significant number of organizations outside healthcare are subject to the security and/or privacy rules and may not realize it.
The rules apply to anyone that maintains PHI, with certain, very limited exceptions. If your company runs its own benefits program rather than outsourcing it, then HIPAA applies. Perhaps you are a software vendor that sells software to a hospital. If the hospital has provided you test data on real patients to help you troubleshoot a software bug, then HIPAA applies. Most companies have some need to comply with HIPAA.
So, where do you start? First and most important, read the security rule and determine 1) whether you maintain PHI within your organization, and 2) whether you are a covered entity under HIPAA. You might be surprised.
If you find that you fall under HIPAA, you will need to start your research. It's true that the many publications and “experts” on HIPAA are often contradictory, but for all their lack of clarity, they do contain common healthcare security practices that will help you understand your obligations under the rules. And since you have to start somewhere, it's a good idea to seek out published, free resources, such as NIST publications on the security rule. Find subject matter experts, perhaps even a consulting firm, to work with to understand your compliance requirements.
Eric Cowperthwaite has more than 20 years of experience as a security practitioner and leader, including nine years of experience in healthcare security. Currently, Mr. Cowperthwaite is the chief security officer of Providence Health and Services, which has 29 hospitals and more than 50,000 employees located in five western states. Mr. Cowperthwaite is under review for membership to the Security Executive Council.
