The Health Insurance Portability and Accountability Act (HIPAA) security standards became law on 20 Feb 2003, and they are effective 21 Apr 2005. 

What is HIPAA? To give a too-simplified description, one of the features of the Health Insurance Portability and Accountability Act -- HIPAA -- requires everyone in the health care industry, from physicians to insurance companies, to protect the data that patients entrust to them, ensuring that those data are only revealed to persons and organizations with a legitimate need to know those data, and only with the patient's prior permission. People and organizations affected by HIPAA include the following:

• Providers: hospitals, clinics, and anyone providing healthcare
• Payers: insurance companies, HMOs and other health plans
• Other organizations that do business with providers and payers must also comply with HIPAA

What is the impact of HIPAA on Information Technology? IT is a central function for most healthcare organizations and is more so with HIPAA. IT must integrate adherence to HIPAA regulations into its "ordinary" duties, ensuring a level of compliance, even if rote process is breached.

In addition, there are specific new responsibilities for IT, including:

• The requirement of recording access to Protected Health Information (PHI)
• Interacting more frequently with legal organizations as legal works to ensure requirements are sufficiently addressed
• Increasing security of your systems
• Increasing security of your network:
  • Your LAN,
  • Your access to the Internet,
  • Your firewall
  • Intrusion detection
• Store records in a secure area. Make sure only authorized employees have access to the area.
  • Store paper records in a room, cabinet, or other container that is locked when unattended.
  • Ensure that storage areas are protected against destruction or potential damage from physical
    hazards, like fire or floods;
  • Store electronic customer information on a secure server that is accessible only with a password -- or has other security protections -- and is kept in a physically-secure area;
  • Don't store sensitive customer data on a machine with an Internet connection; and
  • Maintain secure backup media and keep archived data secure, for example, by storing off-line or in a physically-secure area.
• Provide for secure data transmission (with clear instructions and simple security tools) when you collect or transmit customer information.
  • If you collect health information or other sensitive data, use a Secure Sockets Layer (SSL) or other secure connection so that the information is encrypted in transit;
  • If you collect information directly from consumers, make secure transmission automatic. Caution consumers against transmitting sensitive data, like account numbers, via electronic mail; and
  • If you must transmit sensitive data by electronic mail, ensure that such messages are password protected or encrypted so that only authorized employees have access.
• Dispose of customer information in a secure manner.
  • Hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information;
  • Shred or recycle customer information recorded on paper and store it in a secure area until a recycling service that specializes in handling confidential recycling picks it up;
  • Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain customer information (note that this is harder than it seems -- technologies exist for recovering lost data -- these can be turned to the recovery of data which you've deliberately
    tried to destroy);
  • Effectively destroy the hardware;
  • Promptly dispose of outdated customer information; and
  • Ensure all temporary files created are fully encrypted and/or deleted.
• Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. For example, supplement each of your customer lists with at least one entry (such as an account number or address) that you control, and monitor use of this entry to detect all unauthorized contacts or charges.
• Maintain a close inventory of your computers.

How can we help you to with compliance?

• First, determine if there are gaps currently in your:
  • Security and privacy policies and procedures
  • The current state of IT security
  • Your IT security audit capabilities
• Review appropriate sections for compliance with HIPAA in areas such as
  • IT technical security mechanisms and capabilities
  • Network/Internet/Dial-up capabilities
  • Physical access controls
  • System access controls
  • Data storage
• Design your:
  • System and application security configuration requirements
  • Network
  • Recommend internal processes
• Implement the above
• Help you manage system failures, including the prevention, detection, and response to attacks, intrusions or other
  system failures, including
  • Help you develop a written contingency plan to address any breaches of your physical, administrative or technical safeguards;
  • Develop a plan to regularly obtain and install patches that resolve software security vulnerabilities;
  • Help you obtain and install anti-virus software that updates automatically;
  • Maintain up-to-date firewalls, particularly if you use broadband Internet access or allow employees to connect to your network from home or other off-site locations;
  • Assist you in developing and maintaining central management of security tools for your employees and pass along to your designated personnel updates about any security risks or breaches; and 
  • Double-check the security of the system connecting via VPN from home (if the home system is compromised, or is on a compromised home network, access to the secured business network may be possible).