HIPAA or the “Health Insurance Portability and Accountability Act” is a U.S. law that has been in effect since 2006, for health and health insurance. It sets standards for the electronic management of medical data in order to protect sensitive information. In recent years, the penalties for violating this law have increased substantially, which have led organizations to intensify their compliance efforts, especially since HIPPA audits are now being carried out.
Since non-compliance penalties were initially minimal, many organizations had delayed the implementation of HIPAA requirements. However, since the HITECH Act “Health Information Technology for Economic and Clinical Health” was passed in 2009, the penalties for violating HIPAA regulations have increased significantly, possibly costing millions of dollars. In addition, civil proceedings may now be brought forth on behalf of the residents affected by these violations. HITECH also requires health organizations to declare breaches or leaks concerning protected health data.
According to a Gartner analyst, organizations believe that data encryption is a HIPAA requirement. However, he recommends encryption only when data travels through wireless networks or when used while cloud computing. The Gartner analyst also states that organizations subject to HIPAA should focus their efforts to achieve a HIPAA risk assessment which will demonstrate the application of security controls in order to reduce the threat scenarios deemed most likely. Another important aspect highlighted by Gartner is in regards to documentation. It is important to document security programs and the decisions taken in regards to the protection of sensitive data.
For more information and to know more about the Gartner analysts’ recommendations, please view the following article:
By Patrick Paradis, Information Security Advisor