1. Complying with HIPAA Privacy and Security Standards
Complying with HIPAA Privacy and Security Standards
Whitepaper

2. Complying with HIPAA Privacy and Security Standards
The Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to increase
the efficiency and effectiveness of the nation’s health care system by encouraging the widespread
use of electronic data interchange in health care.
It required significant changes in how the health care industry manages all aspects of information,
including billing, reimbursement, security and patient records. All the key players in the industry
including providers, payers, and clearing houses are required to comply with HIPAA.
The final rule adopting HIPAA standards for security was published in the Federal Register on
February 20, 2003. This final rule specifies a series of administrative, technical, and physical security
procedures for providers, payers, and clearing houses to use for assuring the integrity and confi-
dentiality of Electronic Protected Health Information (EPHI). The technical safeguards in the ruling
include:
• Access control: Policies, procedures, and processes must be developed and
implemented for electronic information systems that contain EPHI to only allow access to
persons or software programs that have appropriate access rights.
• Audit controls: Mechanisms must be implemented to record and examine activity in
information systems that contain or use EPHI.
• Integrity: Policies, procedures, and processes must be developed and implemented that
protect EPHI from improper modification or destruction.
• Person or entity authentication: Policies, procedures, and processes must be
developed and implemented that verify persons or entities seeking access to EPHI are who
or what they claim to be.
• Transmission security: Policies, procedures, and processes must be developed and
implemented that prevent unauthorized access to EPHI that is being transmitted over an
electronic communications network (e.g., the Internet).
As a result, insurers and providers are required to develop and implement enterprise-wide security
programs to comply with the security and privacy standards under HIPAA. Many have adopted the
ISO17799 standard to ensure compliance with the security standards of HIPAA and have deployed
a wide array of products which add layers of protection but also add significant complexity and cost.
Despite substantial investments, most organizations still struggle to find a mechanism
to define and enforce the right policies and controls to comply with HIPAA in a cost
effective manner.
The Agiliance solution is specifically designed to address these issues. It provides a holistic and
real-time view of security, compliance and risk across the whole enterprise. Agiliance enforces and
monitors policies & controls across functional and geographical boundaries within a company and
improves compliance with the HIPAA standard in a cost-effective manner.
© Agiliance, Inc.

3. Complying with HIPAA Privacy and Security Standards
Capabilities for ensuring compliance with HIPAA Security and
Privacy standards
The following are key capabilities of best-in-class solutions to ensure compliance using a standard
such as ISO17799/27001 to become compliant with HIPAA security and privacy standards
• Maintain a repository of all relevant assets (hardware, software, physical IT infrastructure,
and IT processes) that affect EPHI. Assets can either be brought in from external
asset management or configuration management systems or through asset discovery
technology. The system should support a comprehensive asset data model to document
relationships between assets, organizations, processes and people.
• Leverage surveys to identify how critical an asset is to maintaining the integrity and
confidentiality of EPHI and then assess its overall risk.
• Maintain a library of control objectives for a standard such as ISO17799/27001. By
mapping each control objective in the standard against the various asset classes and
their assessed risks, the user should be able to define and activate policies (including
security policies) to manage the risk.
• Track asset and configuration changes, integrate with monitoring tools and perform
manual assessments to identify policy violations.
• Compute an asset’s composite risk
score based on multiple criteria,
including business impact of its
impairment, compliance with policies,
including security policies, and
its vulnerability based on external
feeds. The risk score allows users
to prioritize which non-compliant
assets need to be addressed first for
remediation.
• Report on asset compliance scores
– both for status purposes, as well as
evidence of compliance for internal
and external auditors.
Agiliance and Compliance with HIPAA
The Agiliance IT-GRC Platform enables organizations to effectively analyze and decrease secu-
rity risk, and significantly reduce the cost of compliance with HIPAA. It is designed to address
key issues, such as “How secure is our IT infrastructure?”, “Do we have the right policies and
controls to mitigate privacy and security risk under HIPAA standards?”, or “How do we monitor
compliance with policies and controls across the enterprise on a continuous basis?” Its core value
proposition around a combination of assets, security policy and risk management makes it the
right solution for ensuring IT compliance with HIPAA.
© Agiliance, Inc. 3

4. Complying with HIPAA Privacy and Security Standards
Key capabilities Agiliance IT-GRC:
• Asset Management: Agiliance automatically builds and maintains an asset inventory
database leveraging data collected by many sources including Active Directory,
scanners, management systems and repositories.
• Policy Management: A policy library based on an industry-wide security standard
such as ISO 17799 allows a user to quickly define security policies. A powerful editor
allows creation of rich custom policies. Policy sets may be assigned to individual assets
or globally to groups. Manual policies are managed with customizable and automated
surveys.
• Policy Enforcement: Agiliance automates real-time monitoring to enforce automated
policies, monitor compliance and flag violations. When an asset is moved, it
automatically inherits the policies of its new environment.
• Risk Management: Agiliance incorporates multi-dimensional risk analysis capabilities,
which consider policy violations (non-compliance), threats and vulnerabilities, asset
and policy classification. It uses relative risk scores to prioritize the remediation of non-
compliant assets.
• Dashboards and Compliance Reports: Agiliance delivers pre-configured compliance
reports for a large number of regulations, as well as current status and trends.
• Remediation: Agiliance provides a risk-based prioritized action plan for remediation
of out-of-compliance assets and tracks the remediation process for assets under
consideration.
© Agiliance, Inc.

5. Complying with HIPAA Privacy and Security Standards
• Enterprise Class: Agiliance has a scalable and secure architecture, capable of managing
thousands of hosts and processing millions of daily events. Agent-less and agent-based
options make the solution easy to deploy and the rich browser-based user interface is easy
to use.
• Open Architecture: Agiliance is designed around an open architecture based on industry
standards. Open connectors easily integrate with and leverage your existing security and
management tools and platforms.
Agiliance enterprise integration
Agiliance, Inc. 1732 North First Street p: 408.200.0400
Suite 200 f: 408.200.0401
San Jose, CA 9511 www.agiliance.com 5