Previous Page Next Page

HIPAA—Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the United States Congress in 1996.

HIPAA is used primarily for organizations in the health care sector.

Note

The information in the HIPAA sections that follow is compiled from "Compliance and Risk Management: HIPAA" at http://www.cisco.com/en/US/netsol/ns625/net_value_proposition0900aecd80380862.html.


Who Is Affected

Organizations that engage in health care services or any type of activities that can be classified as a health care institution qualify for the HIPAA assessments.

HIPAA security policy applies to any entity (individual or company, public or private, government or nongovernment) that transmits any health information in electronic or print form in connection with a health care transaction. Examples include

The HIPAA Requirements

HIPAA compliance is mandatory and requires health care institutions to

To comply with this act, HIPAA requires health care organizations to implement information security controls that are tightly integrated and comprehensive.

The internationally recognized ISO/IEC 27002 (ISO/IEC 17799) provides a best-practice framework for achieving these objectives, coupled with the Cisco Self-Defending Network solution that aligns itself with the controls recommended by ISO/IEC 27002.

Penalties for Violations

Violation of HIPAA may result in the following civil and criminal penalties:

The Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) enforces the privacy standards, whereas the Centers for Medicare and Medicaid (CMS) enforce both the transaction and code set standards and the security standards (65 FR 18895).

Cisco Solutions Addressing HIPAA

Table 25-2 lists the Cisco products and solutions that help address HIPAA requirements.

Table 25-2. Cisco Solutions Addressing HIPAA Requirements
RequirementCisco Solutions
Protect Against Unauthorized Access
  • Cisco Secure Access Control Servers (ACS)

  • 802.1x

  • Network Admission Control

  • Cisco Integrated Services Routers (ISR)

  • Cisco ASA 5500 Series Adaptive Security Appliances

Secure Data Exchange with Affiliates and Service Providers
  • VPN Technologies

  • IPsec

  • DMVPN

  • SSL VPN

Detecting, Preventing, and Responding to Attacks and Intrusions
  • Cisco Security Monitoring, Analysis, and Response System (CS-MARS)

  • Cisco IPS solutions

  • Cisco Security Agent (CSA)

  • Cisco Security Manager

Implement, Test, and Adjust a Security Plan on a Continuing Basis
  • Cisco Security Posture Assessment, and Penetration Testing Services


HIPAA Summary

In summary, health care institutions need a system-based approach that is collaborative and adaptive, offering an effective security governance framework to manage information security and provide guidelines to meet HIPAA compliance requirements.

For more details about HIPAA, refer to the following documentation URLs:

http://www.hipaa.org/

http://www.hhs.gov/ocr/hipaa/

http://www.ama-assn.org/ama/pub/category/11805.html

http://www.wikipedia.org/wiki/HIPAA

Previous Page Next Page