HIPPA Compliance Audit
PUBLIC LAW 104-191
AUG. 21, 1996, 104th Congress
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) consists of two sections. HIPAA Title I mandates protection of health insurance coverage for people who lose or change jobs. HIPAA Title II provides for administrative simplification, requiring the development of standards for the electronic exchange of health care information, the protection of the privacy of personal health information and the establishment of security requirements to protect that information. Additionally, Title II contains two key rules, The Security Rule and The Privacy Rule which health care institutions must comply with in order to achieve HIPAA compliance.
HIPAA Privacy Rule
The Privacy Rule took effect on April 14, 2003 and establishes regulations for the use and disclosure of Protected Health Information (PHI). This empowers patients with rights to access their medical records, restrict access by others, request changes, and to learn how they have been accessed. The rule establishes the first set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care.
HIPAA Security Rule
The Security Rule was issued in 2003 and lays out three types of security safeguards required for compliance: administrative, physical, and technical. It serves to ensure that internal controls are in place to enforce the Privacy Rule. Health care institutions must ensure the confidentiality, integrity and availability of all electronic protected health information and must protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Software Security and HIPAA
Unlike other compliance regulations, the Security Rule does not require specific technologies to be used. Health care entities may elect solutions that are appropriate to their operations, as long as the selected solutions are supported by a thorough security assessment and risk analysis.
Since the enactment of HIPAA in 1996, the industry has moved from paper-based solutions to one where patient information is completely controlled by software and universally accessible via web applications. No HIPAA compliance effort is complete without ensuring that software applications have been tested for vulnerabilities which may compromise the integrity or privacy of patient information.
Metro Data, Inc. Helps Health Care Organizations Achieve HIPAA Compliance
There are two primary sections of HIPAA that relate to network security; Administrative Safeguards (Section 164.308) and Security Safeguards (Section 164.312):
164.308(a)(5)(ii)(B) - Protection From Malicious Software
HIPAA Text: "[Organization must have] procedures for guarding against, detecting and reporting malicious software."
There are many forms of malicious software that can impact data and networking systems. Viruses, Worms and Trojans are the most prolific threats, and are usually introduced via infected email attachments. Newer threats such as web site cross-scripting, SQL injection attacks and even Spyware can affect data and systems. To protect against the predominant delivery mechanisms of malicious software, the security schema must provide: (1) Virus and Worm protection through Gateway and Desktop Anti-virus systems (contrary to what many believe, AV systems do little to stop Trojans); (2) Trojan identification and mitigation, as well as FTP, IM and P2P threat mitigation through Intrusion Prevention (IPS) systems ; and (3) Web Content Filtering to prevent malware delivered over Port 80 and 443 (web downloads, etc).
164.308(a)(6)(ii) - Response and Reporting
"Identify and respond to suspected or known security incidents; mitigate to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes."
We have been supporting Healthcare providers since our inception (long before HIPAA). Let our experience work for you to provide evidence that the integrity and privacy of patient information has been protected and that your information technology systems are able to withstand modern threats.