Case Study in Implementing Security for HIPAA Privacy Compliance

The Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA, set forth new standards for the privacy and security of protected health information (PHI). The timeline set for implementation of the privacy standards was April 14, 2003; however, the security regulations were only in proposed form. It was clear that some security must be in place in order to protect the privacy of PHI. We decided that our greatest area of risk was for unauthorized use and disclosure of PHI, and would therefore focus on protecting the confidentiality of PHI. The approach that was taken was to identify the security standards from the proposed rule that addressed confidentiality, as opposed to availability and integrity. Plans were developed and responsibilities assigned to focus on the security standards chosen. The final security regulations were published February 20, 2003, and an analysis was done to see how our selection of standards from the proposed rule measured up against the final rule. Our assessment is that we chose wisely, which put us in an excellent position for both privacy and security compliance. Today we have a sound security program in place, which will enable us to meet and probably exceed the requirements set forth in the final rule.