How to ensure security compliance with HIPAA

Computerworld - The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule became effective April 14, which means it's time to pay attention if you haven't done so already.

HIPAA is a set of federal regulations intended to protect and simplify the exchange of health care data. Compliance deadlines have been stretched out over the next few years. Compliance means doing everything in your power to follow the letter and spirit of the law without going out of business.

The HIPAA Privacy Rule is federal law, and anyone not in compliance can face up to $250,000 in fines and jail time of up to 10 years. The rule applies to electronic protected health information -- essentially, patients' medical records and other personal health care information. It affects companies that transmit protected health information in electronic form, which includes health plans, health care clearinghouses and health care providers. These organizations are referred to as "covered entities."

Full compliance will require that these entities understand the threats and liabilities to this protected data and that they implement a wide variety of safeguards and security best practices. Where should these health care companies start, if the urgent has driven out the merely important? There are so many drivers in today's world that compliance, however imminent, seems to be very far away.

	Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security auditing and risk analysis. She can be reached at marcia@wilsonsecure.com.

Administrative

Start at the top. The administrative portion is 50% of the rule. Advocates of top-down policy suggest that this is the right place to begin. What is the security management process of the organization, and who has responsibility for it? If the organization hasn't already done so, establish a chief privacy officer. The chief privacy officer would be responsible for establishing policy and procedure for employees and others who have access to the health care data.

Security awareness and training is the critical next step. If employees aren't aware of or don't understand the policy, it's of no use. Incident-handling also needs to be factored into the equation. An incident response team should be established in conjunction with the position of privacy officer to develop policy and procedure. This team can be responsible for contingency planning as well, depending on the size of the organization. Contingency planning is needed to provide an alternative plan once a breach has occurred. Document everything, plan on keeping that data for six years plus, and you're almost there.