The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the United States Congress in 1996.
HIPAA is used primarily for organizations in the health care sector.
Note
The information in the HIPAA sections that follow is compiled from "Compliance and Risk Management: HIPAA" at http://www.cisco.com/en/US/netsol/ns625/net_value_proposition0900aecd80380862.html.
Organizations that engage in health care services or any type of activities that can be classified as a health care institution qualify for the HIPAA assessments.
HIPAA security policy applies to any entity (individual or company, public or private, government or nongovernment) that transmits any health information in electronic or print form in connection with a health care transaction. Examples include
Covered healthcare providers
Health plans
Health care clearing houses
Medicare prescription
Drug card sponsors
HIPAA compliance is mandatory and requires health care institutions to
Implement security standards that protect patient data
Standardize on electronic data interchange (EDI)
Speed up the processing of medical claims
Implement standards for transmitting medical data
Protect the confidentiality of personal health information while in transit and while being stored
To comply with this act, HIPAA requires health care organizations to implement information security controls that are tightly integrated and comprehensive.
The internationally recognized ISO/IEC 27002 (ISO/IEC 17799) provides a best-practice framework for achieving these objectives, coupled with the Cisco Self-Defending Network solution that aligns itself with the controls recommended by ISO/IEC 27002.
Violation of HIPAA may result in the following civil and criminal penalties:
Civil penalties: Violations can result in civil monetary penalties of $100 per violation, up to $25,000 per year.
Criminal penalties: In June 2005, the United States Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained in the sections that follow, who "knowingly" obtain or disclose individually identifiable health information in violation face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment for up to ten years.
The Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) enforces the privacy standards, whereas the Centers for Medicare and Medicaid (CMS) enforce both the transaction and code set standards and the security standards (65 FR 18895).
Table 25-2 lists the Cisco products and solutions that help address HIPAA requirements.
In summary, health care institutions need a system-based approach that is collaborative and adaptive, offering an effective security governance framework to manage information security and provide guidelines to meet HIPAA compliance requirements.
For more details about HIPAA, refer to the following documentation URLs: