The third and final compliance standard that I’ll comment on in our series on compliance is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”, usually pronounced “hip-pa” even tho there is only one “P” and two “A”).
HIPAA is a very large and complex law that covers many facets of medical care. I am most interested in the portions that involve the security and privacy of health data, those portions protect you so that your medical information is not available for anyone who is interested.
In addition to all the usual information technology security aspects, HIPAA has some interesting compliance requirements. HIPAA requires documentation and disclosure to you of who updates your medical information, as well as tracking and documentation of who reads your medical information when. It also safeguards verbal discussion of your medical information.
For example, if two doctors meet in a hallway and begin discussing your medical information, there are potentially two HIPAA violations happening. First is if the second doctor is actually involved in your treatment, or if the first doctor is just spontaneously chatting about you. It’s OK if that first doctor talks generically about your medical condition, but that doctor is not supposed to mention specifics about you such that someone could figure out it was you the first doctor was talking about. Secondly, the two doctors must ensure that no one overhears them discussing your medical information. A hallway is not a good place to discuss confidential information such as you and your medical information.
One initial problem with HIPAA was that it lacked enforcement and lacked significant penalties. That was solved by the American Recovery and Reinvestment Act of 2009 (“ARRA”). Besides providing a stimulus package for the economy, it also significantly expanded HIPAA’s privacy and security regulations, including increased enforcement and penalties for HIPAA violations. Civil and criminal penalties for violations were increased, and most significantly, state attorneys general were given the power to prosecute and seek civil penalties for violations. You can now search the web for “HIPAA violation cases” to see reports of companies being fined, people being fined, people being fired and people being sentenced to jail time for HIPAA violations.
So HIPAA and ARRA’s enhancement to it are important, because they protect your medical information from just anyone learning about your medical condition(s).
If there are other compliance standards that you are interested in having me write about, please let me know at firstname.lastname@example.org. I am more knowledgeable about the information technology and business continuity aspects, but I can comment on most of them.
This is the last of a three-part series on compliance presented by John Kulas, a software security analyst for Bridge360. John is a Certified Information Systems Auditor with over a dozen years experience across at least a dozen companies. His technical background includes 23 years at IBM. Today, he assists Bridge360 client Xerox/ACS in meeting compliance standards, and enjoys helping non-technical business people understand compliance requirements.