Entities regulated by HIPAA (Health Insurance Portability and Accountability Act) and recent updates in HITECH (Health Information Technology for Economic and Clinical Health Act) are subject to extensive data security requirements, and some states impose further security requirements. Regulations apply to “covered entities” such as doctors, hospitals, insurers, pharmacies and other health-care providers, as well as their “business associates” which include service providers who have access to, process, store or maintain any protected health information on behalf of a covered entity. “Protected health information” under HIPAA generally includes any personally identifiable information collected by or on behalf of the covered entity during the course of providing its services to individuals.

Data Fields Requiring Protection:

  • Names
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct
    ZIP code, and their equivalent geocodes (Note: county, ZIP code, and geocodes become anonymized when the primary name, street address, social security number, telephone numbers, and similar field values are encrypted)
  • All elements of dates (except year) that are directly related to an individual, including birth date, admission date, discharge date, or date of death (these field values become anonymized when the individual’s name and address are encrypted)
  • Telephone numbers, fax numbers, email addresses
  • Social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs) tied to a specific person or Internet Protocol (IP) address numbers tied to that same person
  • Biometric identifiers, including finger and voice prints; full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code

Breach Notification Requirements and Exemptions

HIPAA requires public notification for breaches. However, the loss of adequately encrypted data is not generally considered a breach and is exempt from notification requirements.

CipherCloud Enables HIPAA Compliance with:

  • Strong encryption and tokenization for cloud data, meeting HIPAA standards for data protection
  • Encryption keys controlled exclusively by customers, meeting “pseudonymization” requirements
  • Exemption from breach notification requirements by effectively anonymizing data
  • Technology specifically called for to meet Privacy by Design and Default principals
  • Dramatic reduction in audit scope by removing data exposure to cloud providers

Questions? We'll put you on the right path.

Ask about CipherCloud products, pricing, implementation, or anything else. Our knowledgeable reps are standing by, ready to help.

OR CALL 1-855-524-7437