How Thales helps organisations comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that created national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
HIPAA Rules and Regulations lay out three types of security safeguards required for compliance:
Enacted as a part of the American Recovery and Reinvestment Act (ARRA) of 2009, the HITECH Act expands the HIPAA encryption compliance requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records, including those by business associates, vendors and related entities.
The HIPAA Rules apply to covered entities and business associates:
HIPAA was enacted by the US congress in 1996. The law has been updated several times since, such as in 2009 with the passing of the Health Information Technology for Economic and Clinical Health Act (HITECH), which added a new penalty structure for violations and made Business Associates directly liable for data breaches attributable to non-compliance with the Security Rule.
The penalties for non-compliance with HIPAA vary based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a maximum penalty of $1.9 million per calendar year. Violations can also result in jail time of one to ten years for the individuals responsible.
Thales helps organisations comply with HIPAA by addressing essential requirements for safeguarding protected health information (PHI) under three different sections of the law.
Covered entities must conduct an accurate and thorough assessment of the risks to PHI and business associates need to appropriately safeguard PHI.
1.A Conduct...:
“...assessment of risks to the confidentiality and integrity of electronic protected health information...”
CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps.
8. b. 1:
“A covered entity may permit a business associate to create, receive, maintain, or transmit electronic PHI if … business associate will appropriately safeguard the information.”
Protect Data at Rest:
CipherTrust Cloud Key Manager can reduce third party risks by maintaining on-premises under the full control of the financial institution the keys that protect sensitive data hosted by third party cloud providers under “bring your own keys” (BYOK) systems.
CipherTrust Transparent Encryption provides complete separation of administrative roles where only authorised users and processes can view unencrypted data. Unless a valid reason to access the data is provided, sensitive data stored in a third-party cloud will not be accessible in cleartext to unauthorised users.
Thales Data Security solutions offer the most comprehensive range of data protection, such as Thales Data Protection on Demand (DPoD) that provides built in high availability and backup to its cloud-based Luna Cloud HSM and CipherTrust Key Management services, to the HSE network encryption appliances that provides options to zeroise.
Covered entities must implement technical safeguards to secure access to protected information, authenticate persons and entities accessing PHI, and encrypt PHI at rest and in transit.
A. 1:
“Allow access to PHI only to those persons or software programmes that have been granted access rights”
Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context. Backed by strong authentication (MFA), granular access policies and fine-grained authorisation policies help ensuring that the right user is granted access to the right resource at the right time; whereby minimising the risk of unauthorised access.
Thales OneWelcome Consent & Preference Management module enables organisations to gather consent of end consumers such that financial institutions may have clear visibility of consented data, thereby allowing them to manage access to data that they are allowed to utilise.
CipherTrust Transparent Encryption encrypts sensitive data and enforces granular privileged-user-access management policies that can be applied by user, process, file type, time of day, and other parameters. It provides complete separation of roles where only authorised users and processes can view unencrypted data.
D:
"Authenticate that a person or entity seeking access to electronic PHI is the one claimed."
SafeNet Trusted Access is a cloud-based access management solution that provides commercial, off-the-shelf multi-factor authentication with the broadest range of hardware and software authentication methods and form factors.
2. ii:
"Implement a mechanism to encrypt and decrypt electronic protected health information.”
CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:
Luna Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, and across hybrid environments.
E. 1:
"Implement technical security measures to protect PHI being transmitted over ... a network"
Thales High Speed Encryptors (HSE) provide network-independent, data in-motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site or from on-premises to the cloud and back. Our network encryption solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception— without performance compromise.
Health information may not be considered PHI if it is not individually identifiable health information.
A:
“De-identification of protected health information. Health information that does not identify an individual … is not individually identifiable health information.”
CipherTrust Tokenisation permits the pseudonymisation of sensitive information in databases while maintaining the ability to analyse aggregate data without exposing sensitive data during the analysis or in reports.
Product review of SafeNet Trusted Access. Explore the options of authentication security that STA offers, to bridge the MFA, SSO and access management worlds in a single, well-integrated package. Discover how your business can bring security to access management.
In today’s ever increasing digital world, protecting critical data and ensuring the identity of those accessing data is essential. The standard measures once thought to be strong enough are simply insufficient when compared to the sophistication and persistence of today’s...
This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.
The crucial first step in privacy and data protection regulatory compliance is to understand what constitutes sensitive data, where it is stored, and how it is used. If you don't know what sensitive data you have, where it is, and why you have it, you cannot apply effective...
Enterprise digital transformation and increasingly sophisticated IT security threats have resulted in a progressively more dangerous environment for enterprises with sensitive data, even as compliance and regulatory requirements for sensitive data protection rise. With attacks...
Safeguarding sensitive data requires much more than just securing a data center’s on-premises databases and files. The typical enterprise today uses three or more IaaS or PaaS providers, along with fifty or more SaaS applications, big data environments, container technologies,...
Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...
You’ve been tasked with setting and implementing an enterprise wide encryption strategy, one that will be used to guide and align each Line of Business, Application Owner, Database Administrator and Developer toward achieving the goals and security requirements that you define...
Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance and...
Business critical data is flowing everywhere. The boundaries are long gone. As an enterprise-wide data security expert, you are being asked to protect your organization’s valuable assets by setting and implementing an enterprise-wide encryption strategy. IT security teams are...
Networks are under constant attack and sensitive assets continue to be exposed. More than ever, leveraging encryption is a vital mandate for addressing threats to data as it crosses networks. Thales High Speed Encryption solutions provide customers with a single platform to ...
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.
Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.
