HIPAA requires businesses that handle personal health information (PHI) to set up strong controls to ensure the security and integrity of that information. Learn how Tripwire Enterprise helps meet the detailed technical requirements of HIPAA and delivers continuous compliance.
The Tripwire HIPAA Solution:
Meeting the Security Standards
Set Forth in Section 164
white paper
Configuration Control for Virtual and Physical InfrastructuresIntroduction
On February 17, 2009, President Obama signed into law the HIPAA provisions will be re-examined for suitability to the new American Recovery and Reinvestment Act of 2009. The law world of electronic health records and ever-expanding digital includes new rules that affect the health care industry and technologies. In any case, the basic privacy protection methods those entities that might handle, process or maintain personal begin with risk assessment, and we assume there will always be health information. The new rules revolve around two primary a call for technologies designed to detect and assess change to areas: the IT infrastructure.. The mandated adoption of new electronic health record sys-tems (and standards, controls and protections around that Background adoption) The Health Insurance Portability and Accountability Act of . The expansion of breach notification rules concerning per- 1996, or HIPAA, was enacted to safeguard Protected Health sonal health records. Information (PHI) by mandating procedures and controls to If is the Recovery Act raises any concerns, it is that these new assure the public that critical and private information is con-rules outlined in the Act clearly must coexist with the 1996 trolled from loss of confidentiality, integrity or availability. HIPAA law. HIPAA security rules did not address the security of With few exceptions, an organization is subject to HIPAA if it Protected Health Information (PHI) by all entities that might exchanges data related to the health care profession. handle or process protected health information; specifically, Improper release of private information has become frequent, it did not address the electronic health records, aggregators, and the number of affected persons is rising quickly (well personal health record (PHR) vendors and processors that are over 250 million people)1. News stories often highlight serious addressed by the Recovery Act. While the Recovery Act tries to infractions such as public posting of diagnosis and patient recognize and address the boundaries between the Recovery Act information or inadvertent release or loss of personal records. and HIPAA, some in the industry express concern that the next Often, these stories speak of human error that caused informa-steps are unclear and have doubts that the Recovery Act will tion to be left unprotected. But there is deliberate misconduct be flexible enough to address the business structures that it and theft as well, e.g. February, 2009, the case at Catskill will create. However, few doubt that many technical and proce- Regional Medical Center (Harris, NY) where an employee was dural concerns will have to be ironed out by the Department of accused of spying and stealing the social security numbers, Health and Human Services (HHS) or the legal system. birth dates and financial information commonly protected If you follow the money, it is easy to see where changes under HIPAA. These events and their redress are expensive for are most likely to be made as a result of the Recovery Act. both the patient and the business. Hundreds of millions of dollars will be spent encouraging phy- Organizations subject to HIPAA, called "Covered Entities sicians and hospitals to invest in new electronic systems and (CE)," will include:development of an electronic health information exchange that . Health care providers-doctors, hospitals, etc.,would tie new systems together. In turn, grants will be written and projects launched to protect and strengthen existing and . Health care insurance and health plan clearing houses,new systems from breaches and other security risks. Finally, the . Businesses who self-insure, andRecovery Act has designated millions to the National Institute . Businesses that sponsor a group health plan and provide of Science and Technology (NIST) to help develop new security assistance to their employees on medical coverage (like standards for health records and information to support this flexible spending accounts)2.developing space. The result is likely a more detailed guidance Meeting the requirements of HIPAA requires most businesses for regulators and compliance initiatives. to set up strong process, methods and controls to assure audi-We bring up... [download for more]
