The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) consists of two sections. HIPAA Title I mandates protection of health insurance coverage for people who lose or change jobs. HIPAA Title II provides for administrative simplification, requiring the development of standards for the electronic exchange of health care information, the protection of the privacy of personal health information and the establishment of security requirements to protect that information. Additionally, Title II contains two key rules, The Security Rule and The Privacy Rule which health care institutions must comply with in order to achieve HIPAA compliance.

The Privacy Rule took effect on April 14, 2003 and establishes regulations for the use and disclosure of Protected Health Information (PHI). This empowers patients with rights to access their medical records, restrict access by others, request changes, and to learn how they have been accessed. The rule establishes the first set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care.

The Security Rule was issued in 2003 and lays out three types of security safeguards required for compliance: administrative, physical, and technical. It serves to ensure that internal controls are in place to enforce the Privacy Rule. Health care institutions must ensure the confidentiality, integrity and availability of all electronic protected health information and must protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

Unlike other compliance regulations, the Security Rule does not require specific technologies to be used. Health care entities may elect solutions that are appropriate to their operations, as long as the selected solutions are supported by a thorough security assessment and risk analysis. Since the enactment of HIPAA in 1996, the industry has moved from paper-based solutions to one where patient information is completely controlled by software and universally accessible via web applications. No HIPAA compliance effort is complete without ensuring that software applications have been tested for vulnerabilities which may compromise the integrity or privacy of patient information.

Veracode’s on-demand application security testing ensures that software handling patient data has been evaluated for vulnerabilities. This enables organizations to provide evidence that the integrity and privacy of patient information has been protected in accordance with relevant sections of §164.308 to §164.312 of the HIPAA Security Rule as follows:

• Risk Analysis – Veracode’s application testing solution allows organization to assess risks and vulnerability in software that handles protected health information.
• Risk Management – Veracode enables health care organizations to implement security measures to reduce risk and vulnerabilities in software.
• Protection from Malicious Software – Software is protected from malicious code and backdoors through Veracode’s patented static binary analysis technology.
• Integrity – Application testing is used to provide evidence that software is free from vulnerabilities that may be used to compromise the integrity of patient information.
• Authentication – Veracode’s application security testing verifies that information such as session identifiers are not vulnerable to authentication attacks.
• Transmission Security – Application security testing is used to ensure that software uses the proper level of encryption for web-based communications.

Learn more about Veracode’s solutions...