How FISMA Requirements Can Impact HIPAA Compliance
In the world of compliance requirements, two types of business practices are generally distinguished. The first, known as the “private sector,” are those regulations that apply to the for-profit, commercial industry. These may include HIPAA (for protected health information), SOX (for financial reporting), GLB (pertaining to information sharing), and others.
The “public sector,” on the other hand, is the business of the US Federal Government, and may include these governing security controls as well as the requirements of FISMA.
FISMA, or the Federal Information Security Management Act (enacted in 2002 and modernized in 2014) requires all agencies to protect sensitive data, according to the relevant information security guidelines of the FIPS 199 & 200 publications, and the technical configurations found in the NIST (National Information Security and Technology) 800 series, especially SP-800–53.
So How Does FISMA Relate to HIPAA?
While FISMA and HIPAA requirements do share similarities in terms of required safeguards for sensitive information, following FISMA will cause HIPAA Compliance to be achieved without any additional methodology. This does not hold true going in the opposite direction, however; HIPAA guidelines do not encompass all that is required for FISMA compliance.
HIPAA provides guidance to covered entities (those who handle protected health information, or PHI) to address the provisions required for the security and privacy of that health-related information. This may also apply to a subset of government agencies; under FISMA, however, ALL government agencies must assess, develop, and document their particular data security requirements and associated information systems in order to meet FISMA/NIST standards. (Not all NIST 800–53 controls will apply to every agency, as requirements may differ).
In general, these standards include:
- Planning for security, including risk assessment of information and systems to ensure the highest levels of security (See FIPS 199).
- Ensuring that appropriate officials are assigned security responsibility
- Periodically reviewing the security controls in their systems
- Authorizing system processing prior to operations and, periodically, thereafter
You can read more about FISMA requirements and their implementation here.
A Few Questions About FISMA
The question may arise, Are state agencies also required to meet FISMA, as well as HIPAA compliance? The answer is yes, for those state-level agencies that are also covered entities — such as those administering Medicare and Medicaid, or veteran’s health programs. Other federal programs administered on the state level such as unemployment insurance and student loans would also require FISMA compliance.
Another important question concerning FISMA is, What if private enterprises bid on and secure government contracts? These companies — if they administer federal funds to healthcare or the life sciences, for example, or to various technology-related companies — will also be responsible to meet FISMA requirements. This requirement must not be overlooked, lest critical funding be withdrawn and the company is left in serious financial straits. Companies preparing to compete for business with the federal government give themselves an advantage by maintaining FISMA compliance.
Finally, there are certain instances — such as with the Federal Data Services Hub used for the Affordable Care Act — where a database contains both HIPAA and Federal Government information (e.g. income rates, employment status, health entitlements, criminal record, SSN, etc.) within the same environment. In this instance, since medical information coexists along with federal data hosted in the same infrastructure, HIPAA Compliance and FISMA Requirements are both considered paramount, and technical considerations should be configured accordingly.
If you have any questions about how your data can be secured to meet the appropriate compliance requirements, give us a call at 760–290–3460, or chat with us online at www.hipaavault.com.
HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing a secure infrastructure for telehealth companies, HIPAA Vault provides secure email, HIPAA compliant WordPress, and secure file sharing solutions.