Rick Howard: The word is: HIPAA.
Rick Howard: Spelled: H for healthcare, I for insurance, P for portability, A for accountability, and A for act. That's HIPAA and not HIPPA as it is commonly misspelled. A mistake I didn't catch in my book, Cybersecurity First Principles, A Reboot of Strategy and Tactics, before I published it in the spring of 2023.
Rick Howard: Definition: A U.S. law designed to improve the portability and accountability of health insurance coverage.
Rick Howard: Example sentence: The history of HIPAA is important because it shows the progress of health care reform over the past 60 years.
Rick Howard: Origin and context: There is a long and convoluted history around how HIPAA came to be. It started when U.S. President Johnson signed legislation that led to the development of the Medicare and Medicaid programs in the 1960s. In the 1970s through the 1980s, Ted Kennedy, Senator from Massachusetts, was a key leader in the Healthcare for All movement. His strategy to pursue that vision was to take small, politically palatable legislative steps that address real needs that would eventually lead to wholesale reform. In 1992, President Clinton's big swing health care security card for all failed to get the support it needed. So, Senator Kennedy, along with Senator Kassembaum from Kansas, proposed a small step in the Health Insurance Reform Act that eventually became the Health Coverage, Availability, and Affordability Act, sponsored by Representative Bill Archer, that eventually became HIPAA, and on August 21st, 1996, President Bill Clinton signed HIPAA into law.
Rick Howard: In April, 2003, the first HIPAA privacy rule went into effect that defined protected health information, PHI. It stipulated the permissible uses and disclosures, and the circumstances in which authorization is required, and gave individuals the rights over their own PHI. Two years later, April 2005, the first security rule went into effect, designed to improve the protection of PHI that shared amongst different health care providers and other entities. It defined three categories. Administrative for things like risk analysis, workforce clearance, security training, access management, and contingency planning. Physical for things like physical access to devices that hold electronic PHI or ePHI, device security, data backups, and the secure disposal of data and devices and technical, for things like password management, automatic log off, data encryption, audit controls, and transmission security.
Rick Howard: In 2006, the first HIPAA enforcement rule went into effect to address instances where covered entities were not complying with the security and privacy rules. It gave the Department of Health and Human Services, HHS, and their Office of Civil Rights, OCR, the powers to investigate complaints and issue fines and explain how HHS will conduct investigations and issue civil monetary penalties. In 2009, President Obama signed the Health Information Technology for Economic and Clinical Health Act, HITECH. The purpose was to incentivize healthcare providers to implement electronic health records, EHRs, by introducing the Meaningful Use Incentive Program. Later that year, the Breach Notification Rule became effective, a rule that stipulated all breaches of PHI must be notified to affected individuals and HHS's OCR.
Rick Howard: By 2010, Stage 1 of Meaningful Use was rolled out and continued until about 2018. In 2012, OCR released audit reports it had conducted in 2011 that indicated that most organizations weren't in compliance with HIPAA. In 2013, the final omnibus rule went into effect the field gaps in existing HIPAA rules by specifying the encryption standards for EPHI. Expanding the workforce definition to include employees, volunteers, trainees, and others. Amending the privacy and security rules to allow patients health information to be held indefinitely and expanded the breach notification rule to ePHI. By 2018, the meaningful use idea was replaced by the promoting interoperability program. The impact to all of these rules was that they likely made the modern world of electronic medical records safer for patients. But also they imposed a number of sometimes onerous regulations on medical providers and their IT partners with annual compliance costs according to Josh Froehlinger at CSO Online in 2021 of at least 8.3 billion dollars a year. That's billion with a B. It also spawned a cottage industry of vendors willing to offer compliance help and the commercial entry of a wide variety of software packages designed to help a company stay in compliance with the law.
Rick Howard: Nerd reference: During the middle of the pandemic, 2021, Dr. Dana Brims, a doctor of podiatric medicine, DPM, and host of the YouTube channel FootDocDana, responded to anti vaxxers who think that asking if they got vaccinated was a HIPAA violation. She sang this song in response.
Rick Howard: If you ask anti vaxxers if they got the vaccination, some seem to think that asking that's a HIPAA violation. But unless you're a medical professional leaking private information, It's just a question they don't like, still legal, as a publication. So in the spirit of trying to ban things that you don't like us to view, here's some other things I think should be HIPAA violations too. How are you doing today? HIPAA violation. Is Pepsi okay? HIPAA violation. Is someone sitting here? HIPAA violation. Is music your career? HIPAA violation. What's your rising moon and sun? HIPAA violation. Have you seen Hamilton? HIPAA violation.
Rick Howard: WordNote is written and edited by me, Rick Howard and the mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. We're privileged that N2K and podcasts like Word Notes are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, people. We make you smarter about your team while making your team smarter. Learn more at N2K.Com and thanks for listening.