Health Insurance Portability & Accountability Act

(HIPAA)

Focus

HIPAA Security, Privacy and Breach Notification Rules focus on the protection of patient healthcare data. Security Rule outlines specific Physical, Administrative and Technical Safeguards for electronic PHI (ePHI).

Data

Electronic Protected Health Information (ePHI) lists 18 types of information, including patient names, addresses, social security numbers, email addresses, medical records, payment information and more.

 Scope

U.S. & Global – All Covered Entities (Healthcare Providers, Health Plans, and Healthcare Clearinghouses) and their Business Associates that perform activities involving the use or disclosure of PHI.

 Breach

Notification to HHS Secretary, All Affected Individuals, and Media Outlets in some cases.

 Non-Compliance

Audits, Investigations, Significant Fines (Up to $1.5 million in fines per year), and possible Criminal Penalties.

HIPAA Requirements

Encryption Discussion

WinMagic Solution


Section 164.312

Technical Safeguards
164.312 (a)

Access Control


Section 164.312

Technical Safeguards
164.213 (b)

Audit Controls


Section 164.312

Technical Safeguards
164.213 (d)

Authentication

HIPAA specifically recommends the use of encryption, audit controls and authentication:

  • Implement a mechanism to encrypt and decrypt ePHI
    [164.312 (a)(1)]
  • Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
    [164.213 (b)]
  • Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed
    [164.213 (d)]

SecureDoc Enterprise strengthens compliance with Technical Safeguard requirements by enforcing encryption, access controls and authentication.

SecureDoc Full Disk Encryption advanced cryptographic engine is FIPS 140-2 validated, consistent with NIST 800-111.

Guide to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

This Guide outlines requirements for encryption of data-at-rest. Essentially, if encrypted devices are lost or stolen, without access to a confidential process or key, they are not subject to breach notification. It also requires that encryption be consistent with NIST 800-111

SecureDoc significantly reduces the threat of a data breach with robust encryption and secure key management to ensure that confidential data and the keys to decrypt that data are protected – reducing the burden and costs
associated with breach notification.

Guidance on HIPAA and Cloud Computing

If the ePHI is encrypted, but not at a level that meets HIPAA standards or the decryption key was also breached, then the incident must be reported…

SecureDoc CloudVM provides enterprisecontrolled encryption and key management to protect against data breaches in the Cloud.