Companies and employers throughout the country are scrambling to put themselves in compliance with federal computer security regulations brought on by two far-reaching pieces of legislation. Known as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX), these Clinton and Bush era rules place serious obligations on those who keep private information in a computer, with the consequences of non-compliance with the laws being equally serious. However, those who think that these regulations only apply to “big” businesses are sadly mistaken.
Signed into law in 1996, effective in 1998, and with compliance being required in 2000, HIPAA regulations are aimed at medical professionals who deal with electronic patient data, such as that which might be found in a computer, or transmitted across a computer network or the Internet. The privacy and availability of electronic patient data must be ensured, and its integrity must also be protected.
In practical terms, this means that doctors, nurses, office staff, insurance agencies, attorneys, secretaries, vendors, and anyone else who handles patient data must ensure that names, addresses, telephone numbers, social security, credit card, bank account and other identifying numbers that make their way onto computers must be protected from loss, corruption and unauthorized access. Computers should not be left unattended in unlocked rooms. Anti-theft measures should be in place. Computers and file systems should be password protected, and particularly sensitive files should be encrypted. Antivirus and antihacker measures should be in place. Patient data stolen by thieves or hackers, destroyed by accidents such as a storm, or damaged by a computer virus has lost its privacy, integrity, and has become unavailable. All three situations can be considered violations, incurring non-compliance citations.
Brought on in 2002 by the WorldCom, Global Crossing and Enron scandals, SOX is aimed at improving corporate reporting procedures in the world of publicly traded companies, i.e., companies that sell stock. Accountability is the key, and companies must use financial accounting systems that provide ways of proving what happens to data. The “who, what, where, when and why” of access to private financial and personal information is at the heart of SOX compliance. Again, sensitive computer information must be protected from theft, loss or corruption, and plans must be in place to recover that data if a loss occurs.
I suggest that people ask doctors, lawyers and insurance companies with whom they work and do business what measures they’ve taken to ensure HIPAA/SOX computer security compliance – and I don’t mean just talking about those dopey “privacy notices” that you get, saying that they can give your private information out to whomever they please. Some in the medical and financial fields that seem to have an “Oh, who cares” attitude towards HIPAA and SOX compliance, regarding compliance as nothing more than useless government intrusion. Government intrusions they may be, but you’ll really know that the government has intruded into your life when you’re looking out at the world from inside a jail cell.