Information security, ISO27001 and HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (which took effect in 2003) is a set of federal standards that requires healthcare organizations (Covered Healthcare Providers, Health Plans and Healthcare Clearninghouses) to implement security standards that protect (and keep up to date) patient data and to standardize on electronic data interchange. HIPAA was originally designed to speed the processing of medical claims by implementing certain standards for transmitting medical data. This of course raised information security concerns, so provisions were also made to protect the confidentiality of personal health information while in transit and while being stored.
The ‘Administrative Simplification (AS) Provisions’ set out the specific rules that institutions must implement in order to comply with HIPAA; these include the rules for EDI, for electronic signatures and for privacy standards. While these provisions are technology-independent, any system of information security controls that a healthcare organization implements will need to be integrated and comprehensive.
ISO27001 provides an independent, internationally recognized best-practice framework for achieving these objectives.
