US organizations that transmit an individual’s protected health information (PHI) across electronic systems are required to meet Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. HIPAA requires covered entities (CE) to assure their customers that the integrity, confidentiality, and availability of PHI information they collect, maintain, use, or transmit is protected.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Encryption: The HIPAA encryption standard specified in the security rule is deemed "addressable", which means that the CE must either implement encryption or come up with a ‘reasonable and appropriate’ solution to meet the regulatory requirement. As encryption technologies have developed and become more affordable, it is becoming more difficult to take the position that there are any 'reasonable and appropriate' alternatives to encryption.
To add to the already complicated interpretation of the rules, the recent HITECH Act specifies severe civil and criminal penalties for breaches of unsecured PHI, and further states that these penalties do not apply if data is encrypted or otherwise rendered unusable, unreadable, or indecipherable. Additionally, CEs are required to notify individuals of any unauthorized acquisition, access, use, or disclosure of unsecured PHI.
Auditing: The Technical Safeguards section of the HIPAA Security Rule states that CEs must “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
HIPAA’s Impact on Cloud Computing
Prior to the introduction of the HITECH Act, several cloud solution providers (CSPs) claimed that they did not fall under the HIPAA provisions, since they were not classified as CEs or business associates. However many third-party data repositories and health information networks now fall into the expanded definition of ‘business associates’.
As a pioneer in cloud data protection, CipherCloud provides various highly secure AES-based encryption and tokenization options to replace sensitive information with anonymous values that respect formatting, and preserve all native features and functionality of compatible cloud solutions, such as searching, sorting, and reporting. Customers retain full control of data and encryption keys within their enterprise network. Additional key characteristics of CipherCloud include:
- Centralized logging and auditing of user activities in the cloud
- Rapid configuration and deployment
- Stateless and high-performance architecture
- Subscription based pricing that eliminates up-front capital expenditure
According to “The 2010 Annual Study: U.S. Cost of a Data Breach”, the cost of data breach is estimated at $214 per compromised record. By implementing CipherCloud, you can reap the benefits of migrating applications containing PHI to the cloud, such as reduced cost, faster deployment, agility, and scalability, while ensuring compliance with HIPAA:
- Avoid millions of dollars in expenses, civil and criminal penalties resulting from PHI breach
- Protect organizational reputation and brand, since HIPAA breach notification laws do not apply to encrypted data