This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."
Download it now to read this article plus other related content.
We've been waiting nearly a decade for the Health Insurance Portability and Account-ability Act (HIPAA) to go into full effect. Now that it has, is it dead on arrival?
When compared to Sarbanes-Oxley, HIPAA is a paper tiger lacking the incentives and penalties to fulfill the protection of patients' health records.
Of course, it's easy to argue that SOX has more impact because it applies to a broader community of enterprises--publicly traded companies with greater than $75 million in annual revenue. But the issue is more than just scope; it's about consequences. SOX has teeth; HIPAA has fewer penalties and agencies willing to enforce it.
As a result, many health care organizations are balking at the massive investments needed to comply with the act, and government agencies are signaling an unwillingness to hunt down noncompliant organizations.
Without enforcement, HIPAA lacks real value. The success of SOX compared to HIPAA comes down to the following factors:
Liability. The prospects of legal liability and potential jail time make executives take SOX seriously. The penalties for violating SOX are generally much harsher than HIPAA's, and they apply directly to an organization's executives. HIPAA's accountability falls far short of the C-suite, leaving the executives with no stake in compliance. Overall, HIPAA's liability, unlike
Auditing and reporting. SOX requires that audit professionals know about the controls and change management processes a company is using to correct security inadequacies. Under SOX, enterprises must file reports certifying their security; HIPAA only requires that a security process be in place and demands no certification or periodic maintenance.
Framework. SOX has mandated a level of IT controls aligned with specific common frameworks (COSO and COBIT). External auditors use these frameworks as focal points for their reviews of enterprises' IT controls. While this may not be as complete or focused as some may wish, they are far better than HIPAA's loosely defined security and data protection requirements.
The blame for the ineffective state of HIPAA rests firmly with Congress, which not only ducked its enforcement responsibilities but also created a major loophole enabling law enforcement access to patient records that undermines many of the apparent protections the law was supposed to provide. HIPAA's only success has been in raising public awareness of how health care organizations protect patient information. But, it has done little to improve consumers' access to insurance, and its regulatory provisions have increased the overall cost of coverage. From a security and privacy perspective, most would agree that personal health care information is still highly at risk.
What will ultimately become of HIPAA and its efficacy remains to be seen. But, it's clear that the security and privacy revolution HIPAA was intended to bring about has fallen short of the mark.
This was first published in March 2005