What Non-medical Businesses can Learn from HIPAA

By Ted Wallingford, CEO, Best Technology

Ted Wallingford, CEO

Ted Wallingford, CEO

Most of us are familiar with the HIPAA security rule–a law governing how businesses are able to use, share, and divulge data about medical patients–because we’ve been a consumer of medical services at one point or another. So we’ve all signed that “HIPAA Compliance Statement” before seeing a doctor when we have the sniffles.

But HIPAA is more than a simple disclosure that requires a signature. In fact, HIPAA is a set of best practices that you should be paying attention to–and implementing–even if you aren’t in the medical field.

Why? Because this set of best practices is really just a fantastic way to protect all sorts of consumer data, from credit card numbers to legal correspondence to credit information.  While the data protection requirements of the law pertain specifically to medical information of a personally identifiable nature–that is, info about a specific person–those same protection requirements can be applied to sensitive non-medical data, too.

Let’s examine how HIPAA mandates can be applied in both medical and non-medical environments to reduce risk, increase compliance, and protect your organization.

To start things out, let’s talk about the dual nature of HIPAA.  The acronym actually stands for Healthcare Information Portability and Accountability Act. The two main concerns of the law are Portability and Accountability.  The Portability portion, spearheaded by Congress as far back as the sixties, is designed to ensure that  physicians and medical staffers can access patient records during the course of care, and transmit them to other physicians and staffers as needed.  This would yield higher quality care.

But, with portability comes a security risk. Electronic data systems of the 1960′s were relatively primitive (hospitals were using carbon forms and didn’t have computers yet), so the risk was one that could be contained primarily with lock and key. After all, just about every medical record then was stored on paper, in a file cabinet somewhere.  That all changed when computers and high-speed networks became standard in healthcare during the 70′s and early 80′s.  The emergence of electronic patient data magnified the risk associated with portability.

In the old days, a courier or postman could transport a patient chart in a sealed envelope, and the security of that transportation was backed by either a private contract or an assumption of best practices (ie. mailmen never open the mail they transport). But now, with electronic data transfer disrupting the industry, a new set of best practices had to be defined, to make sure that the portability of patient data didn’t occur at the expense of its privacy.

The answer was Congress’s HIPAA Security Rule–one of the most sweeping best practice documents in history, and an excellent guide for how to protect ANY kind of data by using daily, habitual practices.  The Security Rule requires, among other things, that encryption to be employed whenever personal medical information is stored or transmitted.  The idea here is that, even if the data were to fall into the wrong hands while being transported or stored, it would be unreadable.

This is also a best practice for the rest of us, even outside the field of broken legs and whooping cough, because we need our business data to be both portable and secure.  HIPAA provides an awesome model for ensuring both.

Other industries are governed by other regulations, including Gramm-Leech, Sarbanes-Oxley, and PCI-DSS. But all have been shaped by HIPAA.  The Cloud factors into HIPAA compliance, and you might be surprised to learn the truth about the security of cloud services. In a future post, we’ll talk about that.

Ted Wallingford is the founder of Best Technology and the author of two O’Reilly Media books about Data and Voice Networking. He can be reached at ted@btstrategy.com.

Continue Reading>> What Non-Medical Businesses can Learn from HIPAA, Part 2