In my last post I shared drivers and trends related to security and compliance, and as promised, this time I'll go deeper into HIPAA.
Health data confidentiality goes back a long time. It’s a very old principle going back thousands of years to the Hippocratic oath. Following along several hundred years, many countries have long standing professional confidentiality regulations as well as data protection or privacy legislation.
It’s probably worth pointing out that the terms "data protection" and "privacy" are already synonymous. Definitions of these vary across the world. Privacy is generally used in the U.S.. Data protection is much more commonly used elsewhere. In fact, some languages such as French and Spanish don’t really have a precise corresponding word for "privacy". People who speak these languages tend to prefer "data protection".
HIPAA demands a very wide range of controls for security. These range from very soft governance management mechanisms, physical security controls, operational controls, as well as technical mechanisms. Other specific controls include encryption, audit trails, and role-based access. In fact, there are three types of safeguards built into HIPAA – administrative, physical and technical. Here’s what each one entails:
- Administrative: policies, procedures, training, security in vendor contracts, contingency plans, audits, breach response
- Physical: physical access control, restrictions on removal of data or equipment, control of visitors
- Technical: access control, authentication, communications security, data integrity, intrusion prevention, protection against data loss, configuration control, risk management
Look Beyond HIPAA
The scope of HIPAA is very similar to ISO 27000 but it’s much less detailed. And it’s much less prescriptive than the payment card industry data security standard (PCI-DSS) and it’s not quite up to date as the emerging privacy legislation such as the new European Data Protection regulation (GDPR). So it’s important not just to look at HIPAA but to look at the whole set of best practices that are emerging and accepted. Laws can be interpreted very broadly and you’ve got to implement what appears to be reasonable and can be judged to be up to date with the latest best practices. That’s what your auditors, lawyers and courtrooms will judge you against.
You can’t just have any encryption. You really need to have the most current, up-to-date acceptable encryption systems. For example, the PCI standard has recently banned the use of SSL because it is not regarded as secure. You must use TLS. You won’t find that inside HIPAA but you’ll find it in equivalent standards around the world.
And of course failure to comply with HIPAA means you can be fined up to USD$1.5 million per year. You can be severely punished and sent to jail for 10 years for deliberate violations. So that’s a pretty big incentive for making sure that you don’t make too many mistakes.
What Does Hippocrates II Have to Do With It?
So what do HIPAA and Hippocrates II have in common? One of the true benefits stemming form the Hippocratic practice of medicine in ancient Greece was its foundation of prognosis. If you think about it, HIPAA is your prognosis and how you will fare depends on what medicine you choose to take. Fortunately, you have more at your disposal than the ancient Greeks.
Next week I'll share my thoughts on the EU's General Data Protection Regulation (GDPR) and what it may mean for you and your company.