What Non-Medical Businesses can Learn from HIPAA: Part 2

By now, you’ve familiarized yourself with the dual nature of HIPAA, a law concerned with providing Portability and Accountability for users of personally identifiable data in the healthcare industry.  And by now, you’re probably beginning to understand with the HIPAA mandates are actually useful in non-healthcare fields, like finance and professional services.

In the previous installment of this series, we talked about the Portability focus of the law.  In this installment, we’ll talk about its counterpart: Accountability.

When one defines accountability, they usually think of concepts like transparency and consistency. The phrase “same way every time” comes to mind, and liability protection is a strong theme, particularly when accountability is defined in HIPAA vocabulary.

Of course, the law’s focus is on the privacy protection of data about patients and their medical care, whether that data is in storage or in transit from one service provider to another–say, a dentist to an orthodontist, or a surgeon to an insurance company.  Relative to privacy protection, accountability means “prove it.”  Prove that you provide transparency, consistency, liability protection, and, most importantly, privacy in your handling of data.

Accountability is also a best practice concept for companies doing business in entirely non-medical industries. In the investment industry, the Sarbanes-Oxley regulations provide a similar requirement for transparency and privacy of financial transactions and the parties involved.  In the credit card processing industry, a voluntary compliance standard called PCI-DSS is there to ensure accountability.  In the mortgage industry, the Gramm-Leech act, or GLBA, exists to ensure accountability. Starting to see a pattern?

All these measures say: Prove you’re accountable. Prove you protect the privacy and security interests of your customers.

And all these measures flow from HIPAA, perhaps not directly, but certainly in spirit.  That’s why it makes sense for business operators in largely unregulated industries to look at HIPAA first when seeking a framework for best security practices.  HIPAA is the most generic, and therefore the most applicable to non-medical data protection, despite its intent to focus on the healthcare field.

Best Technology uses a version of a HIPAA communication protocol to protect sensitive information passed between our customers, vendors, and employees. We call it our Security and Privacy Protocol–but it’s really just an adaptation of one of the HIPAA privacy mandates  found in the Department of Health and Human Services’ Security Series documents (which you can find here).

This adaptation of a HIPAA guideline is one way we’ve taken guidance from the law. There’s a great deal of wisdom and guidance contained in the HIPAA rules, and even though the law itself seems like it’s a mile long, the applications for it are extremely practical, whether your a doctor, a lawyer, or a graphic artist.

If you need help with HIPAA compliance, give us a call.

Ted Wallingford is the founder of Best Technology and the author of two O’Reilly Media books about Data and Voice Networking. He can be reached at ted@btstrategy.com.

You can find part one in this series here.