Written by David Y
August 29, 2022
Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. The HIPAA Privacy Rule creates national standards to protect individuals’ medical records and other personal health information (PHI). Organizations that have to be HIPAA compliant first need to understand what PHI data they have, where PHI data resides, who their business associates are, their legal contracts, current policies, and controls in place. HIPAA violations can have fines can be up to 1.5 million per year. Breach notification costs, attorney fees, lawsuits, etc. can also be many thousands. This also doesn’t include additional laws and industry regulations in U.S. states, European Union, PCI, etc. A risk management framework, proper security controls, a solid technology infrastructure, and training are all needed to meet such requirements.