The Health Insurance Portability & Accountability Act of 1996 (HIPAA) was an insurance reform bill presented to Congress as the Kassenbaum-Kennedy Bill and has its roots in the 1993 Clinton healthcare reform proposals. Its primary intent was to provide better access to health insurance, limit fraud and abuse and reduce administrative costs.
The goal of SOX was to restore investor confidence in the financial reporting of public companies and to hold organizations officers personally responsible for any financial misrepresentations. Relevant to information security professionals, SOX section 404 requires public companies to verify that their financial-reporting systems have proper controls in place.
Of the two, the impact of SOX on information security has been much greater. With SOX, there is direct legal exposure when the CEO and CFO both have to sign-off on financial reports. This provides greater public and regulatory scrutiny, because the stakes are so much higher. Both the government and shareholders are likely to respond to even the perception of a SOX compliance deficit or mismanagement in business.
Contrast this with HIPAA, where you have rules for doing something that people think should be done primarily for ethical reasons (protect patient privacy), where the compliance responsibility is placed on an individual below the executive level. The multitude of organizations, agencies and hospitals that house personal health information has climbed considerably with the decentralization of health services and the advent of referrals through managed health networks.
Combined with outsourcing models for things such as clinical trials and marketing campaigns, the Department of Health and Human Services (HHS) might not have the proper processes, checks and balances required to govern adherence to HIPAA in all these touch-points. And given the choice, organizations will not spend money on HIPAA specifically unless enforcement controls are embedded in the design and deployment of new systems or processes that optimize and reduce cost.
On the other hand, the SEC, by the nature of its function, is an integral component within the checks and balances that ensure the validity of the financial results of public companies.
The stakes are higher, because this is a macroeconomic issue, so the critical auditing of new provisions such as SOX simply becomes another part of an already robust process.
John Rostern, director of technology risk management with consultancy JeffersonWells notes that while many of the issues covered by SOX in section 404 were previously covered by accounting standards (SAS-55, SAS-78, SAS-94), the fact that there was no penalty for non-compliance lessened their impact.
With that, some healthcare providers are openly flaunting the law and saying they are doing nothing for security rule compliance, while others are giving the security concept of minimum necessary an entirely new meaning.
What's particularly distressing is that this lax attitude among regulators and the regulated, although sometimes reinforced by legitimate financial constraints, exists just as the country is being urged to embrace electronic, "cradle-to-grave" medical records. As the country faces greater data exposure than ever, it is failing to implement commensurately stronger security and privacy controls.
Ultimately, without strong enforcement, HIPAA lacks real value and can never emulate the success enjoyed by SOX.
Why has HIPAA failed?
As far back as 2001, many were stating that HIPAA was a failure. One of the most confrontational articles was HIPAA: Criminalizing Medicine by Ronald Libby, Ph.D., when he wrote that "from the point of view of physicians and other healthcare providers, HIPAA has been an unmitigated disaster. It has criminalized the practice of medicine, created fear and intimidation among healthcare providers and imposed unnecessary and onerous administrative burdens upon them. Not only has HIPAA added to the costs and inefficiency of healthcare, but it also strikes at the very heart of the practice of medicine in the country – the doctor-patient relationship."
The lack of enforcement has made HIPAA akin to jay-walking. A offense perpetrated by nearly everyone, given the lack of consequences. SOX is succeeding mainly because it has regulatory teeth behind it with real fiscal consequences.
The upshot is that the spirit and intent of HIPAA are good, but its execution is flawed. Part of the issue is that HIPAA has been implemented in a very different manner than SOX, so we are not seeing as much proactive compliance activity around HIPAA as we have around SOX.
Rebecca Herold, a security and compliance consultant, notes that the penalties for SOX are generally much harsher than those for HIPAA, and the SOX penalties apply more directly to the executives in the organization than do the penalties for HIPAA.
Accompanied by such high-profile cases as Enron (which spurred SOX) and the penalties that have been given to the top executives, SOX has a more personal impact to the executive leaders in organizations than does HIPAA. CEOs and CFOs are personally accountable to ensure SOX compliance. They do not want to go to jail, be on the news for non-compliance reasons, or get hit with stiff penalties, such as up to $5 million in fines or up to 20 years in jail, in addition to additional civil penalties.
With HIPAA, executives do not feel this direct personal stake, so they are not as motivated to proactively address HIPAA compliance. What's more, the enforcement agencies for SOX and HIPAA are quite different.
The SEC has a long history of taking proactive measures to ensure compliance. The HHS, along with their HIPAA enforcement offices, the Office for Civil Rights for the Privacy Rule and the Centers for Medicare and Medicaid Services, have publicly stated that, for now, their compliance activities will be complaint-driven, and they will not be proactively looking for non-compliance activities.
Job supply and demand can be used as a measuring stick for the SOX vs HIPAA debate. From a hiring perspective, audit firms cannot get enough bodies to do SOX work, while those firms specializing in HIPAA are finding that they must constantly low-ball their rates.
In conclusion, HIPAA and SOX are two very different regulations, with different mandates that have ultimately affected their fundamental outcome.
SOX is a regulation that has top-down enforcement from an agency with power, while HIPAA lacks that same strength.
The blame for the ineffective state of HIPAA rests firmly with Congress, which not only ducked its responsibilities under the law, but also created a major loophole for law enforcement access to patient records that undermines many of the apparent protections that it was supposed to provide.
HIPAA has succeeded in raising public awareness of how healthcare organizations protect personal information, but it has done little to improve the consumer's access to individual insurance coverage, and its regulatory provisions have increased the overall cost of coverage.
From a security and privacy perspective, most would agree that personal healthcare information is still at risk.
Finally, HIPAA has cost more than it was designed to save through the computerized streamlining of medical billing.
Congress may again revisit the HIPAA regulations when it decides to define and implement a healthcare information management system that would integrate patient data and streamline health information throughout agencies.
What will ultimately become of HIPAA, and how effective it might yet turn out to be, remains to be seen. But it is clear that the security and privacy revolution that this legislation was to bring has been a major letdown.
Ben Rothke is a security consultant with ThruPoint, Inc.