Observations from HIPAA Conference – Time to Act?
On June 6-7, the National Institute of Standards and Technology (NIST) co-hosted a conference focused on HIPAA, the foundational U.S. health care information law. I attended the conference and came away with the sense that a) health care entities have begun to see clarity in the things they must do from an IT perspective to abide by the law’s requirement to protect patient information and b) they are motivated to do so through Federal moves to enforce the law.
The links between vague laws and concrete technical requirements to support them are usually ambiguous because the laws are written by non-technical lawyers and they often turn over implementation details to government departments.
That is certainly the case with HIPAA. A health care entity’s IT department must follow a series of bread crumbs from the law to the relevant rule (the “Security Rule” and “Privacy Rule” as written by the Federal department assigned that task). From there, the bread crumbs diverge into several optional security frameworks – most notably the NIST Risk Management Framework and the HITRUST Common Security Framework – and then seem to re-converge into a series of special publications and a toolkit authored by NIST. NIST’s technical guides must be followed by Federal agencies and can be optionally followed by non-governmental health care entities. To minimize legal exposure, most health care entities are likely to follow the NIST guidelines.
Amazingly, the trail of bread crumbs described in the preceding paragraph has taken over 10 years to develop!
Coincidental with increasing clarity in what must be done from an IT point of view to abide by HIPAA is the passage of another Federal law called HITECH. Among other things, HITECH requires health care entities to publicly disclose data breaches affecting 500 or more patients and it increases financial penalties for HIPAA non-compliance. Further, a Federal agency has begun auditing health care entities – for the moment on a trial basis – to determine their current level of compliance and to identify areas where more clarity is required. It’s only a matter of time before real financial and even criminal penalties are assessed for non-compliance.
In my view, the two things that will motivate health care entity IT departments to act are finally in place – general clarity around what must be done and significant penalties for not doing it. I believe conference attendees understand this as I sensed a keen desire to achieve and/or maintain HIPAA compliance. And I’m sure it was not lost on the conference attendees that about a quarter of their fellow attendees were lawyers, some of whom I imagine are looking for new business. Perhaps that will be the subject of another blog entry!
For more information about our approach to health care information security, read the Cisco Medical-Grade Network 2.0: Security Architecture design guide, available at http://www.cisco.com/en/US/docs/solutions/Verticals/Healthcare/MGN_2.0.pdf.
Cisco Compliance Solutions Group
P.S. Cisco’s anonymous, 5-minute Regulatory and Industry Compliance Survey is still open! It can be found at
In future blog posts, we will share the results with you.