HIPAA Privacy and Security Standards Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to increase the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care. All the key players in the industry including providers, payers, and clearing houses are required to comply with HIPAA. HIPAA also applies to businesses and government organizations that provide health benefits to their employees and collect and manage health information protected by the Act.
The final rule adopting HIPAA standards specifies a series of administrative, technical, and physical security procedures for providers, payers, and clearing houses and for businesses and government organizations to use for assuring the integrity and confidentiality of Electronic Protected Health Information (EPHI).
Technical safeguards in HIPAA include:
| Access control | Policies, procedures, and processes must be developed and implemented for electronic information systems that contain EPHI to only allow access to persons or software programs that have appropriate access rights. |
| Audit controls | Mechanisms must be implemented to record and examine activity in information systems that contain or use EPHI. |
| Integrity | Policies, procedures, and processes must be developed and implemented that protect EPHI from improper modification or destruction. |
| Person or entity authentication | Policies, procedures, and processes must be developed and implemented that verify persons or entities seeking access to EPHI are who or what they claim to be. |
| Transmission security | Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to EPHI that is being transmitted over an electronic communications network (e.g., the Internet). |
As a result, insurers and providers are required to develop and implement enterprise-wide security programs to comply with the security and privacy standards under HIPAA. Many have adopted the ISO17799 standard to ensure compliance with the security standards of HIPAA and have deployed a wide array of products which add layers of protection but also add significant complexity and cost.
Despite substantial investments, most organizations still struggle to find a mechanism to define and enforce the right policies and controls to comply with HIPAA in a cost effective manner.
The Agiliance IT-GRC platform is specifically designed to address these issues. It provides a holistic and real-time view of security, compliance and risk across the whole enterprise. Agiliance enforces and monitors policies & controls across functional and geographical boundaries within a company and improves compliance with the HIPAA standard in a cost-effective manner.
Agiliance's Key Capabilities:
- Maintain a repository of all relevant assets (hardware, software, physical IT infrastructure, IT processes) that affect EPHI. Asset information can either be imported from external systems or populated through asset discovery technology. The system supports a comprehensive asset data model to document relationships between assets, organizations, processes and people.
- Leveraging surveys to identify how critical an asset is to maintaining the integrity and confidentiality of EPHI and then assess its overall risk.
- Maintain a library of controls by leveraging a popular framework such as ISO 17799/27001.
- Provide an infrastructure for assessing compliance with controls
- Automate the process of distributing and collecting periodic surveys and self assessments to evaluate compliance
- Integrate with monitoring tools, compare asset configuration against controls and policies to identify non-compliance on a continuous basis
- Report on asset compliance scores – both for status purposes, as well as evidence of compliance for internal and external auditors.
- Compute an asset’s composite risk score based on multiple criteria, including business impact of its impairment, compliance with policies, including security policies, and its vulnerability based on external feeds. The risk score allows users to prioritize which non-compliant assets need to be addressed first for remediation.
- Trigger the remediation process.