Piedmont Hospital in Atlanta is first—first to have the pleasure of undergoing a Department of Health and Human Services (HHS) HIPAA audit.  HIPAA is that other regulatory compliance thing that, in many publicly traded healthcare companies, has taken a back seat to SOX.  But now its time has come.  What will this mean to security managers in the healthcare industry?

I can’t speak for all HIPAA regulated companies; I can only speak for the one for which I work.  I believe the advent of audits will bring renewed interest in spreading more security dollars beyond the integrity related controls on which we’ve focused for SOX audits.  This doesn’t mean we’ve ignored HIPAA.

We actually met the April 2005 compliance date specified in the Security Rule.  This was due in large part to significant management support for our efforts.  Since then, it’s been a minor challenge to keep engineering and development focused on the confidentiality requirements specified in both the Security and Privacy rules.  It isn’t that they resist compliance.  Rather, Security finds itself continuously reminding them about not putting ePHI at risk.  This is much different from regulated financial data.  It’s hard to forget about SOX when we undergo frequent internal audits as well as annual third party audits.

Improved focus on HIPAA is good for both regulated and unregulated applications.  The Security Rule’s scope encompasses all fundamental elements of ISO 17799 instead of simply targeting data integrity.  I believe this will serve to rejuvenate management support as well as refocus our technology teams on the broad range of challenges that is Information Security.