Managing HIPAA's Pain

Halfway between the deadlines for HIPAA's privacy and security rules, health-care CISOs share compliance lessons for the rest of us.

About two years ago, the Newport Beach, Calif.-based company launched a comprehensive, companywide information security program. Now all that Pacific Life's group health insurance division really has to do to comply with the HIPAA security rule is complete a final security audit, just to make sure nothing slipped through the cracks.

To comply with California's SB 1386, the company has processes and procedures to identify potential security breaches and communicate them to customers. The company has even decided to undergo a voluntary Sarbanes-Oxley 404 exercise, in which the business units will document and validate the company's controls over key financial processes, including security safeguards and controls. (Pacific Life is privately held, so it is not required by law to comply with Sarbanes-Oxley.)

So how can Krause stay cool in the face of HIPAA compliance and much, much more? Well, why not? In the end, she has found, none of the regulations are so different after all.

"The HIPAA security rule, the HIPAA privacy rule, SB 1386, Sarbanes-Oxleythey all really play into supporting privacy and confidentiality of customer information," she says. "If you do your security program based on best practices, then you are most likely going to comply with any regulations attempting to support privacy and confidentiality."