What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is maintained by the U.S. Department of Health & Human Services (www.hhs.gov). Designed to protect the confidentiality and integrity of patient health information (PHI), HIPAA had only a muted effect on the security industry until 2009, when the Health Information Technology for Economic and Clinical Health Act (HITECH) imposed mandatory audits and fines for noncompliance.
Penalties for noncompliance range from $100 to $50,000 per violation (up to $1.5 million in a calendar year), depending on whether the violation relates to willful neglect. Personnel who knowingly disclose PHI face up to 10 years in prison.
As with PCI, VM and continuous monitoring technologies are essential for HIPAA compliance. Table 4-2 summarizes the high-level sections of HIPAA satisfied, in whole or in part, by VM and continuous monitoring capabilities.