HIPAA and HITECH Compliance and Protecting ePHI
Encryption and Administrative Controls are Key
HIPAA, the Health Insurance Portability and Accountability Act and the follow-on HITECH (Health Information Technology for Economic and Clinical Health) Act are broadly speaking a set of rules designed to protect the confidentiality and integrity of ePHI, electronic protected health information. Any covered entity (CE, insurance companies, healthcare providers etc.) is required to take a number of steps to protect this important patient data including security, administrative and technical.
Non-compliance can result in civil or criminal penalties that can reach $1.5M per incident per year. In addition to fines, organizations also face the onerous task of notifying the public in the event of a serious data breach and the resulting loss of reputation.
The loss of a large number of ePHI records in a single incident is the biggest risk healthcare providers face. When data is held within major clinical applications, the controls of the application itself usually offer sufficient protection from mass data exfiltration. However ePHI is commonly exported or available in other systems with far less protection, and that’s where the risk of large-scale data loss is significant.
Fortunately, the Safe Harbor provision of the HHS HIPAA rules allows covered entities to avoid breach notification if the data is encrypted to an acceptable standard. And obviously using encryption also means that the data will not be misused if it gets into the wrong hands.
HyTrust DataControl is a transparent data-at-rest encryption solution that satisfies the Safe Harbor provision. With support for virtual machines running Linux or Windows and centralized key management, DataControl is a simple but effective way to drastically lower the risk of a bulk ePHI data breach.
HyTrust also meets HIPAA/HITECH control requirements on virtual infrastructure. As more and more applications are virtualized, the virtual infrastructure supporting those applications also becomes in-scope for HIPAA, and a source of risk.