Meeting Data-at-Rest Discovery and Classification Requirements for HIPAA HITECH Act Compliance
Health Insurance Portability and Accountability Act (HIPAA) legislation requires Health Care providers, Health Plans, Health Care Clearinghouses, and those who carry out tasks on their behalf to handle personal healthcare data responsibly and securely.
Two key pieces of US Federal legislation define security compliance requirements for healthcare providers to protect data at rest:
HIPAA – The US Health Insurance Portability and Accountability act (HIPAA) of 1996. The HIPAA Security Rule requires covered organizations to implement technical safeguards to protect all Electronic Personal Healthcare Information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, auditing and monitoring of ePHI information. The HIPAA Security Rule then goes on to set out numerous examples of HIPAA encryption methods which can be employed and the factors to consider when implementing and ensuring the success of a HIPPA encryption strategy. It also mandates that breaches of unsecured protected health information are reported.
HITECH – Health Information Technology for Economic and Clinical Health (HITECH) Act – enacted as a part of the American Recovery and Reinvestment Act (ARRA) of 2009. The HITECH act then expands the compliance requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records (PHR), including those by business associates, vendors and related entities. And finally, the “HIPAA Omnibus Rule” of 2013 formally holds business associates liable for compliance with the HIPAA Security Rule.
Who must be HIPPA HITECH Compliant?
A business associate and a covered entity are the two groups that must be HIPPA HITECH compliant. A business associate is any person that performs activities or functions that uses or disclose protected health information, such as CPA’s, attorneys, IT providers, healthcare billing and coding specialist, laboratories and many others. A covered entity is anyone in the health field that electronically transmits health information. A covered entity includes, doctors, dentists, pharmacies, health insurance companies.
HIPAA Privacy Rule
The HIPAA Privacy Rule provides federal protection for personal health information (PHI) and gives patients’ rights to their own protected health information. The Privacy Rule permits the disclosure of PHI needed for patient care and applies to all healthcare providers, even those who do not use an Electronic Health Record (EHR) system. This protection also includes electronic, paper, and oral mediums.
Spirion provides a solution to help organizations discover, classify, monitor and respond quickly to meet HIPAA Security Rule and HITECH compliance requirements transparently – without changes to operational processes and the daily work of healthcare professionals. Spirion provides technical safeguards to automatically identify and classify electronic protected health information with an easy-to-deploy, centrally managed solution that integrates with your existing security infrastructure. Spirion’s open Application Programming Interface (API) allow integrations with your existing Data Loss Protection (DLP) tools, encryption software, data-archiving and storage solutions offered by leading technology providers such as Symantec, Intel Security and others to help increase the benefits from existing spend on data security solutions.
Spirion Key features
Search everywhere and identify with zero false positives- Stop security breaches before they start
- Reliable discovery results with industry leading accuracy and precision
- Searches local/shared/removable drives, cloud storage, e-mail servers, databases, web servers, SharePoint sites, Windows/Mac/Linux workstations, web sites and file servers.
- Searches within all file types structured and unstructured – Office files, text, images, scanned images, e-mail messages and attachments, archives, deleted files, Outlook archives, and compressed files.
Classify results persistently
- Classifies sensitive data by category and priority to amplify the need for administrators and/or data owners to manage and protect results. Embed classifications directly into files.
Secure unprotected information
- Secures results using a file shredder (based on DoD standard), redaction, encryption, or quarantine to a safe location.
Monitor and manage data operations centrally
- Identifies unprotected results as compared to what employees have already secured for trending analysis.
- Notifies data owners automatically
- Empowers employees to sanitize their data environment and monitors their progress with automated alerts and notifications without the extra staff burden.
Make employees part of the process
- Give employees access to classification add-ons in popular collaboration suites such as MS Office and Adobe Acrobat.
Highly scalable, flexible and secure architecture
- Highly scalable, open architecture that accommodates the growth of staff, processes and information across the enterprise.
- Enables organizations to scale and grow by providing the ability to orchestrate administrative and compliance processes consistently and globally.
- Integrates with Active Directory to simplify policy designation and group reporting
- Within an hour start seeing sensitive data results.
- Within a day create an inventory of sensitive data on all systems.
- Within a week implement a data loss prevention strategy for continuous data protection.