A lot of individuals are as familiar with HIPAA as they are with PCI DSS. The difference is quite extreme for the reason – People are aware of HIPAA due to the privacy statement they sign when they hit the doctor’s office. They are aware of PCI DSS due to credit card breaches. The reason has been a fundamental difference between how each party has enforced discretions.
The punitive and public reprimands are minimal for HIPAA (1 public audit to date), while for PCI DSS they are generally carried on the major media channels (WSJ). Recently I came across some stats that have been published (and are regularly updated) that indicate the number of resolutions (6,467 for 2006) and the number of organizations that had corrective actions (1,571 in 2006). These numbers do not align with other public data (the Verizon data breach, the Internet Crime Report, breaches of PII), but the variance may be the result that these include only those where complaints were filed.
In addition, NIST updated SP 800-66 Rev1 “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule“. The comment period just ended, so a final version should be forthcoming. The standard is described as follows:
“NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself. ”
The document is a great resource for any organization that is building their global governance control environment framework, and contains additional references to other NIST documents to provide greater detail and information. In addition to this document, HIPAA stakeholders should check out the CMS documents.
Looking for others thoughts and perspectives around HIPAA compliance… the good and the bad, and any useful references.