The Health Insurance Portability and Accountability Act was passed by US Congress in 1996. In this short article, we take a look at the requirements of HIPAA / HITECH with a simple guide to achieving compliance via the COBIT framework.
HIPAA Violating the requirements of HIPAA can prove extremely costly. In 2014, the penalties for noncompliance were reviewed and the Final Rule under the HITECT Act increased the maximum penalty to $1.5 million per year. Penalties are based on the level of negligence and can range from $100 to $50,000 per violation (or per record).
Applying to any organization which processes, stores or manages PHI electronically, HIPAA's security rule requires that access controls are put in place to ensure authorized users only have access to the minimum amount of information needed to perform their job role.
Additionally, the Final Rule of HITECH legislates that any instance of PHI being disclosed without permission is reported to the individuals affected. Should this affect more than 500 individuals the media must also be notified. The Act itself doesn't determine what internal controls organizations should use, but COBIT (Control Objectives for Information and Related Technology) outlines best practice and is a commonly adopted framework by IT departments to meet HIPAA compliance.