HIPAA and Network Security

13 09 2007

A friend of mine, who used to work for a company that’s contracted to the state of Wisconsin for its Medicare/Medicaid program, worked more specifically with HIPAA. I asked him this:

I’ve got a question for you… do you have, or know where I might find, information about HIPAA in regards to network security? For instance, companies’ legal responsibilities for keeping electronic data secure?

His response:

That’s a hell of a loaded question. HIPAA actually has very few specifics about what is required for network security, but instead is written vaguely enough that everyone is keeping on their toes. It was enacted back in ’96 so anything they wrote into it is already 11 years old. It’s far from being as simple as “and every entity must have a XXXX type firewall system”… It’s really more like “everyone must do what is necessary to keep the information secure”.

Overall, it affects any covered entity that works with health data: hospitals, other health care providers, health/pharmaceutical insurance companies, state health programs (i.e. medicaid) etc. All of these need to have a privacy/security plan in place. Also, a LOT of the network security aspect of this is paperwork. When one of the above entities has someone else working for them (like EDS for WI Medicaid), they need to have a business associate agreement or agent subcontractor agreement in place. This forces the subcontractor to follow the rules of the covered entity. And there’s a trickle down effect as well: when the subcontractor has another subcontractor working for them (like when UGS worked for EDS) there’s another agent subcontractor agreement in place between them. Also, for things like web portals or other remote systems, there are user agreements in place for each user to protect against the dissemination of the data to persons not needing to see it. And user accounts should always follow the “minimum necessary” rule which says that any user should only have access to exactly what they need to accomplish the job and nothing more.

So a security administrator for a company that handles medical records needs to be aware of the nebulous regulations set up by the federal and state governments. Not only do they need to design a security system that will keep information secure, but they need to keep the “minimum necessary” rule in mind, too. It’s a tight rope to walk in ever changing conditions.

He also provided these links:

Wikipedia has a good article (see the “security rule” section):

The official government site:

Another good government site (more security heavy):

And a good Wisconsin based org that pretty much sets the industry standard for this sort of thing in the state, HIPAA Cow: