In keeping with the Health Insurance Portability and Accountability Act, Public Law 104-191 (HIPAA), which was adopted in 1996, all American organizations which use the personal medical data of citizens are required to guarantee the confidentiality of that information. HIPAA requirements are mandatory for medical institutions, medical insurance companies, government agencies and other organizations which have access to private medical records.
The privacy and security requirements set out in HIPAA have also been included in two additional statutory acts. First, there is the HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information). This document requires that the confidentiality of absolutely all medical data be maintained, whether the data is in paper or electronic format or even if the information was pronounced out loud by a doctor. In general, the HIPAA Privacy Rule focuses on general issues of ensuring the protection of medical data, such as cases in which data is disclosed to third parties or organizations.
Second, there is the HIPAA Security Rule (Health Insurance Reform: Security Standards). This document contains more detailed requirements for the protection of electronic medical records and describes the necessary policies and procedures. Violation of HIPAA provisions is punishable with both civil and criminal liability. The US Department of Health and Human Services may fine violators USD 100 for one incident of noncompliance with HIPAA requirements. However, if a person knowingly receives or discloses someone else’s medical data in violation of HIPAA requirements, they can be fined up to USD 50,000 and may be sentenced up to one year in jail. For those who intentionally violate and trade private individual health data and obstruct an investigation, punishment may be increased to USD 250,000 and up to 10 years in jail.
This white paper reviews the requirements of the HIPAA Security Rule, which has an impact on a company's information infrastructure and the security means used therein. Also, it addresses the features of DeviceLock, a product by DeviceLock, Inc., which can help organizations achieve compliance with HIPAA much more effectively.