How Does INFOSEC Relate to HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that charges the Department of Health and Human Services to establish regulations for the handling of certain types of health information (HI), collectively known as “protected health information.”

HIPAA itself does not establish the regulations, but provides the framework for regulations (generally known as “rules”) in four areas: transactions and code sets, identifiers, privacy, and security.

Transactions and code sets: deals with the correct and complete transfer of information between health care entities. The idea is that electronic data interchange (EDI) will be made easier by having industry-wide standards for interchange codesets. Rather than needing to negotiate data interchange code sets each time that two entities establish a relationship, the entities can simply refer to a particular HIPAA transaction code set.
Identifiers: is the specification for uniquely identifying entities in the health care system. Health care providers, clearing houses, and insurers are all given unique identifiers within the U.S. health care system to ease the identification of those entities.
Privacy: is the rule that provides guidelines intended to protect the confidentiality of health information. Standards for identification and authentication of people and organizations requesting HI are enumerated in this rule.
Security: is the rule that deals largely with the technical measures used to enforce the organization's information-handling policy. Certain provisions of the Privacy Rule will require implementation of the Security Rule for enforcement.

For our present discussion, the Privacy Rule and Security Rule are most important.

Privacy is best defined as “informational self-determination.” HIPAA's Privacy Rule helps to support large-scale privacy by providing policy guidelines, basically spelling out who may share what with whom. The Privacy Rule goes a step further, actually providing additional requirements that deal with the risk of accidental exposure. Thus, operational procedures are also impacted.

Security, when defined broadly as the “enforcement of policy,” is achieved through both operational requirements and technical requirements of systems that deal with protected HI. To this end, HIPAA helps covered organizations to achieve security by providing a clear standard as to what minimum protection must be offered. The benefit that this provides is uniform protection of HI, and helps covered organizations to understand just where they are expected to draw the lines between functionality and security.

Information security is one of the goals of HIPAA. Through its Rules, clear and consistent standards have been established that will help covered entities to understand:

Which kinds of information are critical (through the definition of protected health information);
How to support confidentiality of information (through the policy framework articulated in the Privacy Rule);
How to support integrity (through the interchange standards in the Transactions and Code Sets Rule, uniquely-identified entities in the Identifiers Rule, and the technical data integrity standards established in the Security Rule);
How to support availability (through provisions in the Security and Privacy Rules).

Building an information assurance program that not only adheres to the letter of each of the rules, but supports the spirit and higher-order goals of HIPAA will not only help you to avoid regulatory compliance problems. Supporting the security of health information will also help the U.S. health care system to be worthy of its patients' trust.♦

Matt Curtin is the founder of Interhack Corporation (+1 614 545 HACK, web.interhack.com), a Columbus-based information security, privacy, and forensic computing firm, providing assessment, evaluation, and testing services to support policy definition and enforcement, as well as regulatory compliance to clients all over North America. He is also a lecturer at The Ohio State University, in the Department of Computer and Information Science. Matt is a certified information systems security professional (CISSP), holder of the U.S. National Security Agency's (NSA) INFOSEC Assessment Methodology (IAM) certification, and maintains active memberships in InfraGard (FBI's cooperative effort to protect the U.S. infrastructure), the Association for Computing Machinery (ACM), the Institute for Electrical and Electronics Engineers (IEEE) Computer Society, and USENIX (the advanced computing association). Matt is the author of Developing Trust: Online Privacy and Security (Apress, 2001).