Page 282 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 282
In 1996, Congress passed the Health Insurance Portability and
Accountability Act (HIPAA), which made numerous changes to the
laws governing health insurance and health maintenance
organizations (HMOs). Among the provisions of HIPAA are privacy
and security regulations requiring strict security measures for
hospitals, physicians, insurance companies, and other organizations
that process or store private medical information about individuals.
HIPAA also clearly defines the rights of individuals who are the
subject of medical records and requires organizations that maintain
such records to disclose these rights in writing.
The HIPAA privacy and security regulations are quite
complex. You should be familiar with the broad intentions of the
act, as described here. If you work in the healthcare industry,
consider devoting time to an in-depth study of this law’s
provisions.
Health Information Technology for Economic and Clinical
Health Act of 2009 In 2009, Congress amended HIPAA by passing
the Health Information Technology for Economic and Clinical Health
(HITECH) Act. This law updated many of HIPAA’s privacy and
security requirements and was implemented through the HIPAA
Omnibus Rule in 2013.
One of the changes mandated by the new regulations is a change in the
way the law treats business associates, which are organizations that
handle protected health information (PHI) on behalf of a HIPAA
covered entity. Any relationship between a covered entity and a
business associate must be governed by a written contract known as a
business associate agreement (BAA). Under the new regulation,
business associates are directly subject to HIPAA and HIPAA
enforcement actions in the same manner as a covered entity.
HITECH also introduced new data breach notification requirements.
Under the HITECH Breach Notification Rule, HIPAA-covered entities
that experience a data breach must notify affected individuals of the
