Professional Documents
Culture Documents
April 2005
1
EXECUTIVE SUMMARY
HIPAA Defined
HIPAA is U.S. Public Law 104-191 – the Health Insurance Portability and Accountability
Act of 1996. Congress created the Act to improve health care enabled by the nation's four
million-plus health plans and 1.2 million-plus providers. A series of rules are being
developed and issued by the Department of Health and Human Services ("the
Department"), mandating standards-based implementations of HIPAA by all health care
organizations that create, store or transmit health care data electronically. With
Department-specified deadlines are various civil penalties, including fines and/or
imprisonment for noncompliance.
The Department states, "[I] t is important to recognize that security is not a onetime project,
but rather an on-going, dynamic process." The Department therefore requires security-
related processes, many of which are often better implemented with technology. HIPAA
regulations do not mandate particular security technologies. Instead, they specify a set of
principles for guiding technology choices - principles that are nearly identical to those
underpinning the NetVision Security Administration Framework™ system.
Through HIPAA, congress directed the Department of Health & Human Services to draft
rules for complying with the Act. Proposed rules are published for user and industry
comment. The Department then addresses and incorporates comments in its final rules.
The final rule for HIPAA security was published on 20 Feb. 2003 in the Federal Register
as 45 CFR Parts 160, 162 and 164.
While the Privacy component of HIPAA was enforced on April 14, 2003, the security rule
mandates compliance by April 20, 2005.
The section entitled General Rules of the Final Rule on security compliance, issued
February 21, 2003, reads as follows:
Penalties
• General Penalty. Section 1176 of the Act establishes a civil monetary penalty for non-
compliance. The Act limits penalties to $100 per person per violation with a maximum of
$25,000 per person for violations of a single standard for a calendar year.
• Wrongful Disclosure. Section 1777 establishes three penalties for "a knowing misuse of
unique health identifiers and individually identifiable health information: (1) A fine of not
more than $50,000 and/or imprisonment of not more than 1 year; (2) if misuse is under 'false
pretenses,' a fine of not more than $100,000 and/or imprisonment of not more than 5 years;
and (3) if misuse is with intent to sell, transfer, or use individually identifiable health
information for commercial advantage, personal gain, or malicious harm, a fine of not more
than $250,000 and/or imprisonment of not more than 10 years."
• Section 164.308 (a) (1) (ii) (D) in the Security Rule requires an Information
System Activity review to be a part of a security management process in order
to detect security incidents. A security incident is defined in section 164.304 in
the Security Rule as the attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or interference with system
operations in an information system. The covered entity is expected to regularly
review records of information system activity, such as audit logs, access reports,
and security incident tracking reports.
• Section 164.312 (b) in the Security Rule requires implementing hardware,
software, and/or procedural mechanisms that record and examine activity in
information systems that contain or use electronic protected health information.
“…(d) SECURITY STANDARDS FOR HEALTH INFORMATION… The Secretary shall adopt
security standards that (A) take into account … (iv) the value of audit trails in computerized
record systems…”
It should also be noted that the retention period for records that can demonstrate
compliance with the Security Standards is stated to be 6 years. When audit trails are used
to meet the standards, archived audit trails must be retained for 6 years.
NetVision solutions can help you establish the security programs and policies you need to
meet HIPAA requirements. The NetVision Security Administration Framework™ system
offers healthcare companies unique IT security solutions in the areas of security
management, automation, and lowered cost of ownership. With their unique capabilities of
policy management, auditing and change management, vulnerability management and
user identity and access management, NetVision solutions are already at work today in
over 600 organizations throughout the world including some of the leading companies in
the healthcare industry.
See the “NetVision HIPAA Regulations Matrix” for a full overview of the Final
Security Standards and Implementation Specifications, and NetVision’s solutions for
each
ftp://204.202.2.187/netvision/whitepaper/NetVisionHIPAAregulation
sMatrix.pdf.
NetVision Inc. 1500 N Technology Way, Bldg D, Suite 3300, Orem, Utah 84097
© 2005 NetVision Inc. All rights reserved. U.S. Patent No. 5,721,825 protects NetVision’s Global Event Services. GES is a registered
trademark and Global Event Services, NVPolicy Resource Center, NVMonitor, NVAsssess, NVIdentity, and Integrated Security Policy
Management are trademarks of NetVision, Inc. All other products not listed are the property of their respective owners.