Entities regulated by HIPAA (Health Insurance Portability and Accountability Act) and recent updates in HITECH (Health Information Technology for Economic and Clinical Health Act) are subject to extensive data security requirements, and some states impose further security requirements. Regulations apply to “covered entities” such as doctors, hospitals, insurers, pharmacies and other health-care providers, as well as their “business associates” which include service providers who have access to, process, store or maintain any protected health information on behalf of a covered entity. “Protected health information” under HIPAA generally includes any personally identifiable information collected by or on behalf of the covered entity during the course of providing its services to individuals.
Data Fields Requiring Protection
- All geographic subdivisions smaller than a state, including street address, city, county, precinct,
- ZIP code, and their equivalent geocodes. (Note: county, ZIP code, and geocodes become anonymized when the primary name, street address, social security number, telephone numbers, and similar field values are encrypted.)
- All elements of dates (except year) that are directly related to an individual, including birth date, admission date, discharge date, or date of death. (These field values become anonymized when the individuals name and address are encrypted.)
- Telephone numbers, fax numbers, email addresses
- Social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs) tied to a specific person or Internet Protocol (IP) address numbers tied to that same person
- Biometric identifiers, including finger and voice prints; full face photographic images and any comparable images.
- Any other unique identifying number, characteristic, or code
Customer Case Studies
As a pioneer in cloud data protection, CipherCloud provides various highly secure AES-based encryption and tokenization options to replace sensitive information with anonymous values that respect formatting, and preserve all native features and functionality of compatible cloud solutions, such as searching, sorting, and reporting. Customers retain full control of data and encryption keys within their enterprise network. Additional key characteristics of CipherCloud include:
- Support for key rotation
- Centralized logging and auditing of user activities in the cloud
- Rapid configuration and deployment
- Stateless and high-performance architecture
- Subscription based pricing that eliminates up-front capital expenditure
Breach Notification Requirements & Exemptions
HIPAA requires public notification for breaches. However, the loss of adequately encrypted data is not generally considered a breach, and exempt from notification requirements.