Earlier this week, news broke that the U.S. Department of Health and Human Services imposed its first civil penalties on health care organizations for violations of the Health Insurance Portability and Accountability Act privacy provisions. Thanks to the Health Information Technology for Economic and Clinical Health Act, HHS has HIPAA enforcement authority that actually means something, and, from the looks of things, will actually use it.
That's good news for patients whose information will, in theory, be better protected. However, it may not be good news for those organizations that haven't gotten all that serious about HIPAA security and privacy compliance. HIPAA itself doesn't specifically prescribe precise methods for securing information and ensuring confidentiality is maintained. The law just requires security and privacy controls to be in place.
So how does a company subject to those requirements determine that the controls they have in place are sufficient-especially in light of the fact that there is not yet a long history of HHS enforcement actions from which to learn?
Last week, I talked to Web hosting firm NeoSpire's director of security, Sean Bruton, who offered an intriguing suggestion. Health care organizations looking to get a jump on HIPAA security compliance should consider using the Payment Card Industry Data Security Standard as a model. He explained:
PCI is extremely specific. There are 220-something controls in the PCI Data Security Standard, and there's almost no variability in how they're applied ... It's also a standard that's very pervasive. Anyone who touches credit cards handles it, and it's usually easier for people to communicate that they based their security controls on PCI than that they based them on standards to which businesses don't usually have the same exposure.