HIPAA Security Rule and Cybersecurity Operations

Abstract

Before jumping into specific safeguards of HIPAA and how security operations center (SOC) activities relate, some background may help put things in perspective. The Health Insurance Portability and Accountability Act (HIPAA) was enacted on August 21, 1996. HIPAA focused on health coverage during gaps when workers change jobs to another. The act provided early incentives for entities to adopt digital records. The Security Rule was implemented on April 21, 2005, focusing on electronic Protected Health Information (ePHI) stored digitally. Enforcement of HIPAA was granted to the Department of Health and Human Services (HHS) on March 16, 2006, under the Enforcement Rule. HHS had the authority to investigate complaints and levy fines for privacy violations. The Health Information Technology for Economic and Clinical Act (HITECH) of 2009 incentivized healthcare organizations for adopting digital medical records. These incentives were part of a program termed Meaningful Use. Finally, in 2013 the Final Omnibus Rule went into effect. It was at this point when news of proactive audit programs surfaced, more news about investigations by HHS after breaches and fines became mainstream news.