HIPAA Hooray!
OK, maybe you're not doing cartwheels. But for companies staring down HIPAA (the Health Insurance Portability and Accountability Act) it's time to hit the mats.
By Daintry Duffy
September 04, 2002 — CSO — OK, maybe you're not doing cartwheels. But for companies staring down HIPAA—the Health Insurance Portability and Accountability Act—it's time to hit the mats.
Large portions of the 1996 bill that standardizes electronic data interchange for health-care organizations and protects the confidentiality and security of health-related data are finally nearing enactment. Companies affected by HIPAA—including health-care providers, employers, life insurers and universities—are facing an Oct. 16, 2002, compliance date for the electronic standards portion of HIPAA and an April 14, 2003, compliance date for the privacy standards.
Because the regulations for the security standards portion of the bill won't be introduced until late this year, CSOs might be tempted to put their preparations off, but that would be a mistake. "You can't have privacy without security," notes Brian Wyatt, an associate in the health-care group at Ropes & Gray law firm in New York City. CSOs will play a critical role in implementing and enforcing the policies and procedures that govern who has access to protected health information, deciding how information is used within the organization and ensuring that business partners that have access to employee health information implement similar access controls.
Wyatt notes that his team frequently sees that individuals in companies who perform clerical tasks like billing are actually able to access specific individual health-care information because the access codes in the information systems are improperly configured. These kinds of problems will fall largely to the CSO and security team to fix.
CSOs in many companies are also going to find that they have a new executive partner to work with courtesy of HIPAA. The privacy regulations require that affected companies have an individual responsible for ensuring that privacy policies are followed. In large companies that may mean the appointment of a chief privacy officer.
Read more about data privacy in CSOonline's Data Privacy section.
Other stories by Daintry Duffy
Is privacy an ally of security, next of kin, or something else? These articles dig into the hows and whys of data privacy and data protection, and its relationship to enterprise security efforts.
6 ways we gave up our privacy
The effect of social networks, web 2.0 technologies, and other privacy-shaking developments
7 Firefox plugins for data privacy
Plug data-leaking holes in your web browsing
4 signs of an easy victim on social networks
Scammers and hackers of all kinds scour social sites for personal data
Potential privacy 'gotchas' in cloud computing
How to respond to a data breach notification
5 things to know about the Chief Privacy Officer
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- The CISO's Survival Guide to Securing Data
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
- Howard Schmidt went the distance
With Howard Schmidt leaving the White House at the end of the month, the critiquing of his tenure is in full swing -- as it should be. There are still plenty of loose ends dangling in D.C., most notably Congress' inability to craft legislation that strikes the right balance between security and privacy. - #FFSec: Security pros to follow on Twitter, May 18
- DHS cybersecurity official leaves more questions than answers
More Salted Hash with Bill Brenner
