HIPAA, The Health Insurance Portability and Accountability Act, has been with us for years now. Upon reading through the vast and cumbersome documentation, one quickly realizes that HIPAA has many moving parts, enough to make you truly gaze at amazement as to what the actual explicit intent is for compliance. In regards to the security provisions of HIPAA, The Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule, there are a number of broad based requirements for ensuring HIPAA compliance.
But that’s really where it ends, because unlike a SAS 70 Type II audit and a Payment Card Industry Data Security Standards (PCI DSS) assessment, compliance is, for the most part, not actively overseen. What does it really mean to be HIPAA compliant? What part of HIPAA do organizations need to be compliant with? What are the true penalties for non-compliance, if any?
HIPAA needs to take a more aggressive approach, possibly a revision of the law along with explicit rules for what compliance is and for what part of the HIPAA legislation. Only then will HIPAA really have the bite like SAS 70 or PCI DSS.