Healthcare organizations are subject to the numerous compliance regulations. The healthcare industry (including both payers and providers) is subject to the Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy rules. These regulations provide privacy rights and protection for healthcare consumer’s protected health information (PHI, or EPHI for electronic information). In addition, the regulations are very specific regarding requirements for IT security. The HIPAA Security rule includes 74 specific requirements, spanning Administrative, Physical, and Technical Safeguards. The HIPAA Administrative safeguards specify that covered entities must perform risk assessments, manage security risks, and assess application and data criticality. They also require organizations to assess which of their business partners have access to the organization’s EPHI, and to execute Business Associate Agreements with business partners ensuring that the partner will appropriately safeguard the information. The Department of Health and Human Services administers the HIPAA regulations.

Until recently, HIPAA was not actively enforced. In 2007 regulators conducted the first ever audit of a healthcare organization for compliance with HIPAA. In early 2008, healthcare regulators announced plans to audit an additional 10-20 healthcare organizations. Healthcare firms may also be subject to fines associated with HIPAA non-compliance. In addition, other negative consequences of non-compliance or of a public security breach apply, including brand damage and loss of market capitalization.

For a list of links to the HIPAA regulations and regulators, please visit our HIPAA Resources page.