It's down to the wire for health-care providers-no more using Social Security numbers for patient IDs or completely trusting those handy wireless charts for personal information. HIPAA (Health Insurance Portability and Accountability Act of 1996) made it official: Individuals own that private information stored in enterprise filing cabinets and computer databases, and health-care providers must keep the information secure from prying eyes.

HIPAA requires safe electronic data interchange (EDI) of medical records, also known as protected health information (PHI), by covered entities such as health-care plans-HMOs, Medicare and Medicaid programs-and clearinghouses that store and process electronic health-care information. The HIPAA regulations include both privacy and security regulatory schemes together in the Code of Federal Regulations (CFR Title 45 Part 164). The privacy regulations have been in effect since April 14, and the final security rules go into effect April 20, 2005, for most health plans (smaller health plans have until April 20, 2006, to comply).

HIPAA security rules guard against unauthorized transmission of PHI only in electronic form-over the Internet, extranet, private networks and leased and dial-up lines. Other technologies used to transmit PHI-voice over the telephone, paper-to-paper fax machines, and videoconferencing and voicemail systems-are considered analog transactions and therefore outside the scope of HIPAA's security rules. According to HIPAA, one representative in each covered entity is responsible to develop and implement security policies and procedures.

Dissecting the Security Rules

HIPAA's security rules aim to be comprehensive, address all aspects of security and scale for large and small entities, but the rules are not linked to specific technologies. Instead, generic guidelines allow for new technologies to satisfy the rules. Generally, multiple solutions are required for the variety of rules that set standards and...