HIPAA

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was established by Congress in 1996. The legislation was passed to improve the efficiency of the United States healthcare system. It does so by standardizing best practices for maintaining the security and privacy of healthcare data. HIPAA required the United States Department of Health and Human Services (HHS) to create new regulations addressing this data. Thus far, the HHS has released two documents, the Privacy Rule and the Security Rule.

The Privacy and Security Rules define requirements for handling all electronic personal health information (e-PHI). Personal health information (PHI) represents any health data that includes identifying information (e.g., name, address, health conditions). Further, under HIPAA, healthcare organizations can no longer request Social Security numbers (SSN) as part of their data collection.

In 2009, the U.S. Congress also passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. This legislation creates definitions for the meaningful use of electronic health records (EHR) that contain PHI. The HITECH Act requires healthcare organizations to report suspected breaches. Increasing awareness around healthcare-related data breaches also prompted Congress to pass the HIPAA Omnibus Rule in 2013. This rule defines required security controls. These controls aim to strengthen the original protections within the HIPAA Privacy and Security Rules.

Covered Entities. HIPAA defines rules for all healthcare organizations (also known as covered entities) that store or transmit PHI data. Covered entities can include health plans, healthcare providers, or individuals assisting with healthcare. HIPAA also acknowledges that covered entities occasionally need to disclose PHI to business associates that support health services.

With the passing of the HITECH Act and HIPAA Omnibus Rule, business associates must adhere to HIPAA requirements in the same fashion as a covered entity. As such, covered entities must get written assurances from business associates that appropriate controls are in place.

What does HIPAA compliance have to do with software security?

The HIPAA Security Rule defines controls that must be implemented to protect PHI. This requires the implementation and documentation of administrative, physical, and technical safeguards. The technical safeguards require appropriate access, audit, and encryption controls. Software handling PHI must have these controls in place and they must be documented.

Conducting tests to ensure an implementation is performed appropriately in software that stores or transmits e-PHI demonstrates that HIPAA-required controls are successfully in place. Provision 164.308(a)(8) of the HIPAA Security Rule requires organizations that transmit and store PHI to regularly perform technical and non-technical evaluations of these systems.

Synopsys can help organizations meet the software security-related regulations set by HIPAA. We can assist in evaluating an organization's overall control environment to determine if the various HIPAA Security Rule requirements are met.

What problems does HIPAA compliance solve?

Any organization handling healthcare data or PHI must ensure that their security program and software controls address the requirements of the HIPAA Security and Privacy Rules. Covered entities that meet these rules are able to process, store, and transmit PHI without fear of civil or criminal penalties.

Note that HIPAA rules establish a minimum standard for the implementation of IT and software security controls. Without these rules, organizations processing PHI have no specific requirements protecting their healthcare data (i.e., for maintaining the confidentiality, integrity, and availability of the data).

The enforcement of HIPAA standards by the U.S. federal government ensures that organizations take the implementation of PHI controls seriously. It also ensures that consumers of healthcare in the U.S. have an outlet if their PHI is mishandled.