Is HIPAA Really changing?
Here is a good summary link of the changes.
I think John did a good job outlining the key changes. There is no point in regurgitating the information he has already covered in detail. Overall there are changes to penalties, new breach rules, business associate responsibilities, and more.
What I find interesting is that according to his article HHS is now responsible for issuing guidance specifying technologies and methodologies. To date I haven’t seen anything yet posted on their site, but they have until February 17, 2010 before the Act is in effect.
I believe many government based organizations currently fail these controls miserably. It will be good to start seeing some accountability. I just hope they lay out the expectations clearly unlike when PCI was first issued. I also hope there is some visibility into the ratings of each entity moving forward.
In the meantime here are a few good older links to help entities make sure they are at least in tune with current expectations.