HIPAA | HITECH Data Security Compliance

How Thales helps organizations comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act

The Health Insurance Portability and Accountability Act


The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that created national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

HIPAA Rules and Regulations lay out three types of security safeguards required for compliance:

  • Administrative Safeguards primarily concern the requirement to conduct ongoing risk assessments to identify potential vulnerabilities and risks to the integrity of PHI.
  • Physical Safeguards concentrate on the measures that should be implemented to prevent unauthorized access to PHI and to protect data from fire and other environmental hazards
  • Technical Safeguards relate to the controls that must be put in place to ensure data security when PHI is being communicated on an electronic network

What is the Health Information Technology for Economic and Clinical Health (HITECH) Act?

Enacted as a part of the American Recovery and Reinvestment Act (ARRA) of 2009, the HITECH Act expands the HIPAA encryption compliance requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records, including those by business associates, vendors and related entities.

Which companies are subject to HIPAA?

The HIPAA Rules apply to covered entities and business associates:

  • Covered Entities encompass all health care providers creating, receiving, maintaining, transmitting, or accessing protected personal health information (PHI), including health plans, health insurance organizations, hospitals, clinics, pharmacies, physicians, and dentists, among others.
  • Business Associates encompass third-party service providers that may create, receive, maintain, transmit, or access ePHI on behalf of covered entities. Examples include IT contractors or cloud storage vendors.

When did HIPAA go into effect?

HIPAA was enacted by the US congress in 1996. The law has been updated several times since, such as in 2009 with the passing of the Health Information Technology for Economic and Clinical Health Act (HITECH), which added a new penalty structure for violations and made Business Associates directly liable for data breaches attributable to non-compliance with the Security Rule.

What are the penalties for HIPAA non-compliance?

The penalties for non-compliance with HIPAA vary based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a maximum penalty of $1.9 million per calendar year. Violations can also result in jail time of one to ten years for the individuals responsible.

How can Thales help with HIPAA compliance?

Thales helps organizations comply with HIPAA by addressing essential requirements for safeguarding protected health information (PHI) under three different sections of the law.

HIPAA § 164.308 Administrative Safeguards

Covered entities must conduct an accurate and thorough assessment of the risks to PHI and business associates need to appropriately safeguard PHI.

Thales helps organizations by:

  • Discovering and classifying sensitive data and performing risk analysis
  • Reducing third party (business associate) risk

HIPAA Requirement:

1.A Conduct...:

“...assessment of risks to the confidentiality and integrity of electronic protected health information...”

Thales Solutions:

CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps.

8. b. 1:

“A covered entity may permit a business associate to create, receive, maintain, or transmit electronic PHI if … business associate will appropriately safeguard the information.”

Protect Data at Rest:

CipherTrust Cloud Key Manager can reduce third party risks by maintaining on-premises under the full control of the financial institution the keys that protect sensitive data hosted by third party cloud providers under “bring your own keys” (BYOK) systems.

CipherTrust Transparent Encryption provides complete separation of administrative roles where only authorized users and processes can view unencrypted data. Unless a valid reason to access the data is provided, sensitive data stored in a third-party cloud will not be accessible in cleartext to unauthorized users.

Thales Data Security solutions offer the most comprehensive range of data protection, such as Thales Data Protection on Demand (DPoD) that provides built in high availability and backup to its cloud-based Luna Cloud HSM and CipherTrust Key Management services, to the HSE network encryption appliances that provides options to zeroize.

HIPAA § 164.312 Technical Safeguards

Covered entities must implement technical safeguards to secure access to protected information, authenticate persons and entities accessing PHI, and encrypt PHI at rest and in transit.

Thales helps organizations by:

  • Managing access to PHI
  • Authenticating users and processes
  • Encrypting PHI at rest and protecting encryption keys
  • Encrypting PHI in transit

A. 1:

“Allow access to PHI only to those persons or software programs that have been granted access rights”

Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context. Backed by strong authentication (MFA), granular access policies and fine-grained authorization policies help ensuring that the right user is granted access to the right resource at the right time; whereby minimizing the risk of unauthorized access.

Thales OneWelcome Consent & Preference Management module enables organizations to gather consent of end consumers such that financial institutions may have clear visibility of consented data, thereby allowing them to manage access to data that they are allowed to utilize.

CipherTrust Transparent Encryption encrypts sensitive data and enforces granular privileged-user-access management policies that can be applied by user, process, file type, time of day, and other parameters. It provides complete separation of roles where only authorized users and processes can view unencrypted data.


"Authenticate that a person or entity seeking access to electronic PHI is the one claimed."

SafeNet Trusted Access is a cloud-based access management solution that provides commercial, off-the-shelf multi-factor authentication with the broadest range of hardware and software authentication methods and form factors.

2. ii:

"Implement a mechanism to encrypt and decrypt electronic protected health information.”

CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:

  • CipherTrust Transparent Encryption delivers data-at-rest encryption with centralized key management and privileged user access control. This protects data wherever it resides, on-premises, across multiple clouds, and within big data and container environments.
  • CipherTrust Tokenization permits the pseudonymization of sensitive information in databases while maintaining the ability to analyze aggregate data.
  • CipherTrust Enterprise Key Management streamlines and strengthens key management in cloud and enterprise environments over a diverse set of use cases.

Luna Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, and across hybrid environments.

E. 1:

"Implement technical security measures to protect PHI being transmitted over ... a network"

Thales High Speed Encryptors (HSE) provide network-independent, data in-motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site or from on-premises to the cloud and back. Our network encryption solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception— without performance compromise.

HIPAA § 164.514 Other requirements relating to uses and disclosures of protected health information

Health information may not be considered PHI if it is not individually identifiable health information.

Thales helps organizations by:

  • Pseudonymizing and de-identifying personal health information using tokenization.


“De-identification of protected health information. Health information that does not identify an individual … is not individually identifiable health information.”

CipherTrust Tokenization permits the pseudonymization of sensitive information in databases while maintaining the ability to analyze aggregate data without exposing sensitive data during the analysis or in reports.

Related Resources

Data Security Solutions for HIPAA Compliance - Solution Brief

Data Security Solutions for HIPAA Compliance - Solution Brief

Ensure HIPAA compliance and implement HIPAA Privacy & Security Rules for comprehensive protection of patient health information, with our data security solutions. The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that created national...

Protecting healthcare and life-sciences data from a cyber-attack pandemic

Protecting healthcare and life sciences data from a cyber-attack pandemic - eBook

Regulations, such as HIPAA and GDPR, and global standards such as ISO 27799:2016 on health informatics, raise the bar for healthcare and life sciences organizations, obligating the protection of sensitive personal data and levying substantial fines for not doing so. Learn how...

Other key data protection and security regulations


Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.


Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.