HIPAA: Protecting your health data

Leave a comment

by John Kulas, Bridge360 Software Security Analyst

The third and final compliance standard that I’ll comment on in our series on compliance is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”, usually pronounced “hip-pa” even tho there is only one “P” and two “A”).

HIPAA is a very large and complex law that covers many facets of medical care. I am most interested in the portions that involve the security and privacy of health data, those portions protect you so that your medical information is not available for anyone who is interested.

In addition to all the usual information technology security aspects, HIPAA has some interesting compliance requirements. HIPAA requires documentation and disclosure to you of who updates your medical information, as well as tracking and documentation of who reads your medical information when. It also safeguards verbal discussion of your medical information.

For example, if two doctors meet in a hallway and begin discussing your medical information, there are potentially two HIPAA violations happening. First is if the second doctor is actually involved in your treatment, or if the first doctor is just spontaneously chatting about you. It’s OK if that first doctor talks generically about your medical condition, but that doctor is not supposed to mention specifics about you such that someone could figure out it was you the first doctor was talking about. Secondly, the two doctors must ensure that no one overhears them discussing your medical information. A hallway is not a good place to discuss confidential information such as you and your medical information.

One initial problem with HIPAA was that it lacked enforcement and lacked significant penalties. That was solved by the American Recovery and Reinvestment Act of 2009 (“ARRA”). Besides providing a stimulus package for the economy, it also significantly expanded HIPAA’s privacy and security regulations, including increased enforcement and penalties for HIPAA violations. Civil and criminal penalties for violations were increased, and most significantly, state attorneys general were given the power to prosecute and seek civil penalties for violations. You can now search the web for “HIPAA violation cases” to see reports of companies being fined, people being fined, people being fired and people being sentenced to jail time for HIPAA violations.

So HIPAA and ARRA’s enhancement to it are important, because they protect your medical information from just anyone learning about your medical condition(s).

If there are other compliance standards that you are interested in having me write about, please let me know at john_kulas@bridge360.com. I am more knowledgeable about the information technology and business continuity aspects, but I can comment on most of them.

This is the last of a three-part series on compliance presented by John Kulas, a software security analyst for Bridge360John is a Certified Information Systems Auditor with over a dozen years experience across at least a dozen companies. His technical background includes 23 years at IBM. Today, he assists Bridge360 client Xerox/ACS in meeting compliance standards, and enjoys helping non-technical business people understand compliance requirements.

Author: bridge360blog

Software Changes Everything.... Bridge360 improves and develops custom application software. We specialize in solving complex problems at every phase of the software development lifecycle, removing roadblocks to help our clients’ software and applications reach their full potential in any market. The Bridge360 customer base includes software companies and world technology leaders, leading system integrators, federal and state government agencies, and small to enterprise businesses across the globe. Clients spanning industries from legal to healthcare, automotive to energy, and high tech to high fashion count on us to clear a path for success. Bridge360 was founded in 2001 (as Austin Test) and is headquartered in Austin, Texas with offices in Beijing, China.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s