For many years DeckerWright Corporation has been working with healthcare firms to help them protect patient information by meeting Health Insurance Portability and Accountability Act (HIPAA) security requirements. The concept of Protected Health Information (PHI) was introduced in the HIPAA legislation in 1996. The Health and Human Services (HHS) Department of the federal government was tasked with writing the regulations defining PHI and how to protect it. An evolving body of regulation governs how healthcare firms should protect PHI from being lost or stolen and defines penalties if PHI is breached.
Fast forward to today. There is a lot of talk about Personal Identifiable Information (PII) and how to protect it. PII is any data that may be used to identify a person, such as first and last name, address, phone number, or social security number. From financial institutions to retail establishments with Payment Card Industry (PCI) data requirements, non-healthcare industries are rapidly adopting many of the key aspects of HIPAA. One of the takeaways from HIPAA regulations is the concept that there needs to be a constant focus on security improvements since security vulnerabilities and threats change over time. Putting in the latest security technology today does little to protect against the threats of tomorrow.
While there are plenty of technical requirements in many PII related guidelines, all of the guidelines require the adoption of policies and procedures meant to reinforce a culture of security and to provide the framework needed to respond to breaches when they happen. Each set of industry guidelines requires slightly different documents that describe the information technology environment, plan for disaster recovery, and provide for what to do during a breach. The guidelines normally include the need for regular vulnerability tests and an annual security risk assessment.
With the launch of General Data Protection Regulation (GDPR) in the European Union, it will not be long before the United States adopts its own PII guidelines modeled on HIPAA regulations. Absent any lead from the federal government, industry trade groups will take charge in developing and disseminating security guidelines. The foremost group in this regard is the PCI since it can enforce the rules through fines and penalties related to credit card use. As PII security requirements begin to reach all industries, look for federal legislation to address the PII in the hands of tech companies that are not touched by HIPAA, PCI, or financial institution requirements. These include large companies like Google and Facebook. Since the body of security requirements has been evolving from HIPAA’s origins over 20 years ago, look for the upcoming federal guidelines to build on the well-understood body of work.
Click HERE for more information.