Business Services Industry

NIST publishes HIPAA security help

Internal Auditor, June, 2005 by S. Doyle

THE U.S. FEDERAL GOVernment recently issued guidelines for complying with the Health Insurance Portability and Accountability Act (HIPAA)--nearly a decade after Congress passed the law establishing national standards that protect the privacy of personal health information. The 137-page guidance from the National Institute of Standards and Technology's (NIST's) Information Technology Laboratory explains the structure and organization of the HIPAA Security Rule. The resource guide was released in March--one month before the April 20 deadline for compliance with the law's security mandates.

An Introductory Resource Guide for Implementing the HIPAA Security Rule (Special Publication 800-66) details the minimum requirements to secure health information and systems. Congress enacted HIPAA in 1996 to provide rules that must be followed by individuals or institutions handling confidential patient records. Violators of HIPAA rules can be fined up to US $250,000 and sentenced to up to 10 years in prison.

[ILLUSTRATION OMITTED]

The guide identifies the tools needed to protect health information from external and internal security threats, such as e-mail attacks, compromise of passwords, and use of personal health data by unauthorized employees for personal gain. Although somewhat overdue and focused primarily on the rule's implementation in the federal government, the new guidelines are timely for internal auditors, who can refer to the guide's concepts when reviewing their organization's compliance with the rule's security provisions.

The guidance provides a series of questions auditors can use to identify the various ways employees access workstations and to detect which type of access holds the greatest threat to security. The questions can also help auditors determine which activities should be tracked or reviewed to eliminate misuse, as well as decide who will be responsible for the overall audit process, how frequently audits will take place, and how often audit results should be analyzed.

Performing HIPAA compliance audits may enable organizations to better protect and maintain the privacy of employee health-related data and reduce risk by helping employees understand how the law affects their work.

An online version of the resource guide can be downloaded from the NIST Web site at http://csrc.nist.gov/publications/nistpubs.>

COPYRIGHT 2005 Institute of Internal Auditors, Inc.
COPYRIGHT 2008 Gale, Cengage Learning

 

BNET TalkbackShare your ideas and expertise on this topic

Please add your comment:
  1. You are currently: a Guest |
  4.  

Basic HTML tags that work in comments are: bold (<b></b>), italic (<i></i>), underline (<u></u>), and hyperlink (<a href></a)

advertisement
advertisement
  • Click Here
  • Click Here
  • Click Here
advertisement

Content provided in partnership with Thompson Gale

Presented by American Express