HIPAA is an acronym you have certainly been exposed to during any recent doctor’s visit: they ask you to sign a page that says you understand how they protect the privacy of your health information. It stands for the “Health Insurance Portability and Accountability Act,” which was signed into law in 1996. Among other things, it and its later companion act, HITECH, calls for privacy standards for individually identifiable health information, especially when stored in an electronic system.
HIPAA/HITECH are actually focused on delivering three things for you:
Confidentiality refers to your health records being private to you and to your designated health care professionals and so it involves strong privacy protection.
Integrity means any system holding your information should make it impossible for someone to enter and alter your records.
Availability means you want it to be totally reliable so if your health records are needed in an emergency they are always on line.
I am sure you are thinking to yourself “DAM systems don’t hold health records, or MRI scans, so why does this matter to me?” My Digital Asset Management system helps me manage photography, branded digital assets and other items in a centralized way to assist with collaborative efforts. Well, here’s one scenario: you work at a hospital, and your DAM system is used for fundraising, and includes photos from events, pictures of your star surgeons and great nurses. What if one photo shows a doctor chatting with a patient in a hallway, identifies them both, and there happens to be an “Oncology” sign in the picture? Rightfully or wrongfully, it could infer the patient has cancer. This kind of information is considered PHI (Protected Health Information) even if it is incidental. And no company wants to be accused of compromising PHI.
Hence more than the usual safeguards are required. To earn HIPAA compliance you need to segregate this kind of information, have controls over who can see it, extra precautions like additional firewall rules, and the data has to be encrypted even when it is “at rest” (on a hard drive someplace). The servers have to be in a biometrically secure facility, and all support personnel have to receive special training to be alert to possible intrusion attempts.
If you do not work in the health care industry, going with a vendor who has achieved HIPAA compliance may give you peace of mind if your DAM data is sensitive and you would prefer extra high security. The same standards of care may serve you well!