A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Health Insurance Portability and Accountability Act (HIPPA)

A law that safeguards computer-based health information

HIPPA is a law enacted by the U.S. Congress in 1996. Title I protects health insurance coverage for workers when they lose their jobs. Title II establishes nationwide standards for electronic health care transactions and identification schemes for employers, providers, and health plans.

Title II of HIPPA, called the Administrative Simplifications, is particularly pertinent to information privacy and security in the digital age. It seeks to put measures in place against identity and data theft, while at the same time encouraging the use of electronic storage and transmission in the U.S. health care industry.

More details about HIPPA can be found at the link under References below. This encyclopedia entry is restricted to the effects HIPPA has had on computer-based information exchange.

HIPPA details three security safeguards for compliance:

Administrative

  • Organizations should practice least-privilege access when it comes to protected health information (PHI). This means that only employees who have a documented need to access these records should be allowed to do so.
  • These privacy procedures for securing user data should be clearly documented and made available to the patients.
  • If organizations out-source their work to third party vendors, they should ensure that the vendors adhere to the same set of security and privacy rules.There should be regular back-ups of the data, preferably at some off-site location, and a contingency plan for recovery in case of system/environmental disasters.

Physical

  • Access to hardware and software should be limited to authorized individuals. It should be strictly controlled using some form of authentication, and should be monitored.
  • Workstations should be removed from high-traffic areas and monitors should not be visible to the public.

Technical

  • Information systems should be protected from intrusions. When information flows over networks, encryption [encyclopedia entry] should be used. HIPPA goes into details about the types of encryption options allowed, such as Public Key, Symmetric, etc.
  • The identity of the entity accessing information should be ensured. This means that use of password, digital signature, checksums, and other forms of message authentication should be used.
  • The data present on the system should not be tampered with. In order to ensure this, on–disk encryption and access control policies should be used.
  • All the network layout and activity should be monitored.

HIPPA thus strives to instill confidence in users that their data is safe and private. Organizations who do not comply with these policies are heavily fined. Since identity and data theft are commonplace, the HIPPA standards outline precise and strong integrity checks. While no system is failsafe, HIPPA goes a long way towards creating a more secure process of managing patient data.

References

My home page