HIPAA is the legislature that was proposed by Senators Kennedy and Kassebaum and signed into law by President Clinton in 1996.
Title II, a standard of electronic health care transactions
This section defines a national standard by which companies that are transacting in Protected Health Information must follow.
Protected Health Information or PHI
What is PHI data? It is data that contains personal medical information. For example, a record of Fred Smith’s blood pressure is PHI, but medical data about an anonymous person with no way to identify who the data belongs to is not HIPAA.
How is it protected? By Safeguards.
Data must be protected by physical security measures (locks, cameras) that will ensure the safekeeping of the data.
Staff must be trained on how to handle PHI, including backup procedures and even disaster recovery.
Protect data from unauthorized access. This includes encrypting the data at rest and in transit.
Practical – Who cares?
You should. There are fines imposed for data that is stolen. The technical term is “unauthorized access” to the PHI data.
One facility in Florida was fined $50,000 for a laptop that was left in an employee’s trunk and was stolen. The data was accessible – about 500 patients had their information stolen. Imagine the cost of a larger database being accessed illegally.
First, be sure to educate yourself. Being self-didactic is a good thing. Ask questions (google them). I like the HIPAA Survival Guide website. I recommend you spend a couple of hours reading it. Sign up for the clear water compliance newsletter.
If you are a larger company with a budget, then you can hire a security compliance company like 3 pillars out of WI. Keep in mind that most security consulting companies are just that – consulting. They don’t actually do the security, but they do check to make sure that you have the correct safeguards in place. They can do an audit to find out where you are falling short.