Information Security Compliance: HIPAA

6 years ago
Eric Vanderburg

HIPAA is regulation intended to help covered entities and their business associates protect Electronic Protected Health Information (ePHI).  The U.S. Department of Health and Human Services (HHS) outlines who HIPAA applies to in their definition of a covered entity.

Health and Human Services (HHS) lists a covered entity as follows:

A Health Care Provider A Health Plan A Health Care Clearinghouse
This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

…but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans health care programs
This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition to those seen in the diagram below, HIPAA applies to companies that provide services that would use e-PHI such as suppliers or outsourced IT providers.

Now that we know who this applies to we can discuss the basics of HIPAA compliance.  The primary goal of HIPAA is to protect ePHI which includes, name, dates such as birth, admission, discharge, death, telephone number, SSN, photographs, address, etc.  Companies under this regulation will need to implement technical and procedural controls to protect this information and perform risk analysis on risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI.   Technical controls include such things as encryption, authentication, password complexity, access auditing, segmentation, etc., and procedural controls include such elements as password policies, incident response plans, contingency plans, and audit procedures.

HIPAA also requires companies to provide patients with information on their privacy practices and they must record acknowledgment that the patient received the information.  You have most likely experienced this at the doctor’s office.

The covered entity or business associate must provide a plan outlining how the company will follow the act and designate someone who is responsible for creating and implementing policies to support the plan.  If a company outsources certain business processes, then the company must make sure that the third party is also in compliance with HIPAA standards.

This article is too short to go into detail on the controls necessary for an organization but each system that houses or transmits ePHI will need to have adequate controls and each person who works with ePHI will have to follow procedures intended to protect this private information.  The scope of HIPAA compliance can be quite broad.  Included under this broad umbrella are doctor’s offices and other medical fields for the protection of patients. Certain businesses are also included.  Any company that gives its employees a degree of healthcare are bound to follow the confidentiality rules as well as the uniformity rules.  HIPAA defines a covered healthcare provider as a person or business that deals with healthcare in the normal course of the business day and does so electronically.

This first installment in a series of blogs about information security compliance dealt with the medically related HIPAA or Health Insurance Portability and Accountability Act of 1996.  We defined it and included a summarization of the applications of HIPAA.  Finally, we included an overview of which companies should be concerned with the application and therefore the implementation of HIPAA.