Breaking: RIPS is acquired by SonarSource
Joining forces in building best-in-class SAST products


Health Information Protection

The Health Insurance Portability and Accountability Act, short HIPAA, was enforced by the U.S. Congress in 1996 to protect health information. As a result, the U.S. Department of Health and Human Services (HHS) released the HIPAA Privacy Rule and the HIPAA Security Rule to protect individually identifiable and electronic protected health information. These sets of security standards and general requirements help health companies to ensure that patient data is secure against breaches or data theft. The security and privacy requirements related to web application security are listed in part 164 of the administrative data standards and related requirements subchapter.

RIPS helps to test for security vulnerabilities which can compromise the integrity or privacy of patient information. Thus, it can help to demonstrate compliance with the following HIPAA rules that can be tested with static analysis software.

HIPAA Section HIPAA Requirement
164.306 Security standards: General rules.
164.306(a)(1) Ensure the confidentiality and integrity of all electronic protected health information.
164.306(a)(2) Protect against threats or hazards to the security or integrity of such information.
164.306(a)(3) Protect against uses or disclosures of such information that are not permitted.
164.308 Administrative safeguards.
164.308(a)(1)(i) Implement procedures to prevent, detect, contain, and correct security violations.
164.308(a)(1)(ii)(A) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality and integrity of electronic protected health information.
164.308(a)(1)(ii)(B) Implement security measures to reduce risks and vulnerabilities.
164.308(a)(3)(i) Ensure protected health information (PHI) is accessed only by authorized people.
164.308(a)(5)(ii)(B) Procedures for detecting and reporting malicious software.
164.308(a)(5)(ii)(D) Procedures for safeguarding passwords.
164.312 Technical safeguards.
164.312(a)(1) Implement technical procedures to allow access only to those persons or software programs that have been granted access rights.
164.312(c)(1) Ensure data integrity by preventing inappropriate altering or deleting of data.
164.312(e)(1) Protect data transmitted over an electronics communications network.
164.312(e)(2)(i) Ensure that when data is electronically transmitted, it is not altered in an unauthorized fashion.
164.312(e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
164.530 Administrative requirements.
164.530(c)(1) A covered entity must have in place appropriate technical safeguards to protect the privacy of protected health information.
164.530(c)(2)(i) A covered entity must safeguard protected health information from any intentional or unintentional use or disclosure.