HIPAA Compliance

The US Federal Government passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to promote better information sharing between healthcare providers and to protect the confidentiality and integrity of patient data. HIPAA applies to virtually all healthcare organizations - including all health care providers,

HIPAA calls for severe civil and criminal penalties for noncompliance, including fines for multiple violations of the same standard in a calendar year and bigger fines and imprisonment for knowing misuse of individually identifiable health information.

The most important part of HIPAA to security and compliance officers is the Security Rule which was finalized in 2003. The Security Rule divides security requirements into three categories:

  • Administrative. Business processes show that the organization will comply or is in compliance with the act. Example administrative requirements include:
    • Clearly restrict access to electronic protected health information (EPHI) to only those individuals that require access for their job function.
    • Change control procedures and disaster recovery plans.
    • Identification of potential security breaches with internal audits of both routine and event-based activities.
  • Physical. Protect EPHI from inappropriate access. For example:
    • Develop controls to govern the introduction of new hardware and software; eliminate all EPHI from equipment prior to disposal.
    • Limit physical access to equipment containing EPHI.
    • Implement a security plan and access controls (visitor sign-ins, escorts, etc)
  • Technical. Control access to applications and systems and secure EPHI when transmitting over open networks.
    • Protect information systems storing EPHI from intrusion.
    • Maintain data integrity by ensuring that data is not added, modified, or deleted in an unauthorized manner.
    • Use encryption when sending EPHI over open networks.
    • Document security practices so oversight agencies can audit compliance.
Addressing HIPAA with IPLocks

The HIPAA Security Rule encourages organizations to employ database security software like IPLocks to maintain compliance. Here's how IPLocks addresses key requirements of the Security Rule:

  • Intrusion Prevention
    • Default account checks
    • Penetration tests
    • Automated Monitoring for Unusual Activities
  • Access Controls
    • Review all user rights, whether directly granted and inherited, to EPHI
    • Monitor all changes to user privileges to ensure no inappropriate privileges to EPHI are granted
    • IT Internal Control based on User Privileges Report meets audit standards for a control
  • Change Control
    • Baseline and review all assigned privileges and changes
    • Automatically Monitor DBA activity & reconcile changes with change management systems to verify legitimacy
    • Automatically Monitor user accounts for unusual activity, such as reviewing large numbers of records or logging in from unexpected locations.

Unlike many other products, IPLocks is completely compatible with the Security Rule requirement for encrypted networks and IPLocks does not add latency or additional points of failure to business applications.
© 2014 IPLocks Japan K.K. All Rights Reserved Worldwide. IPLocks is a registered trademark of IPLocks, Incorporated.
Privacy Statement | Terms of Use
home|company|solutions|products|news & events|contact us|iplocks-japan