Spurred by the Health Insurance Portability and Accountability Act (HIPAA), which outlined a set of standards and guidelines for the protection and transmission of individual health information, as well as the subsequent amendment to address standards for the security of electronic protected health information, customers often ask me the following questions:

• Is your product HIPAA certified?
• Is your product HIPAA compliant?
• Will your product meet HIPAA standards?
• If I implement your products, will I be HIPAA compliant?

While this blog post is in no way to be construed as legal advice, I wanted to provide an overview pertinent to answering the above questions.

The Reality

In short, the answer to the above questions isNO!Here is why. There areno productson the market that are HIPAA certified or HIPAA compliant! I know this sounds challenging and some vendors have claimed that implementing their products will make the customer HIPAA compliant, but that is not the case.

HIPAA cannot be addressed with a single product or set of products. HIPAA is a series of policies and procedures that "covered entities" must implement to safeguard information. Products manufactured by Cisco and other technology companies can be used to implement those defined policies and procedures but the simple inclusion of a technology in the network does not automatically make an entity compliant. Products have to be configured to adhere to the standards set forth by HIPAA.

For a better grasp on the implications of HIPAA, let's take a look at some of the details outlined in the Act.

Covered Entities

First, let's examine a²"covered entity" as defined by HIPAA.

HIPAA standards apply only to:

• Health care providers who transmit any health information electronically in connection with certain transactions
• Health plans
• Health care clearinghouses

What is a Health Care Provider?

Any person or organization who furnishes, bills, or is paid for health care in the normal course of business

Protected Information

¹The statute requires the privacy standards to cover individually identifiable health information. The Privacy Rule covers all individually identifiable information except for: (1) Education records covered by the Family and Educational Rights and Privacy Act (FERPA); (2) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (3) employment records. (see the Privacy Rule at 65 FR 82496. See also 67 FR 53191 through 53193).

³The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI).

"Individually identifiable health information" is information, including demographic data, that relates to:

• the individual's past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C.