Overview
The Health Insurance Portability and Accountability Act (HIPAA) sets the privacy standards for protecting sensitive patient data. As per the HIPAA regulations, healthcare organizations and companies that handle sensitive protected health information (PHI) must have certain processes and security measures in place to handle this data. HIPAA provides the necessary framework that controls who has access to and visibility into the health data and restricting the sharing of this sensitive data.
Health Information Technology for Economic and Clinical Health (HITECH) Act
HITECH Act enacted in 2009 expands the scope of HIPAA bringing business associates and partners and vendors under the scope of HIPAA and holds them liable for compliance.
Challenges with HIPAA compliance
Complying with HIPAA can allow organizations to save millions of dollars that can be lost due to damages and fines levied because of data breaches. With more data and workloads moving to multicloud environments, some of the challenges faced by organizations in complying with HIPAA are:
- Access controls – Controlling access to data can be challenging depending upon where the data resides and the systems in use.
- Data integrity - Ensuring that the data can be read, modified, and deleted only by the authorized person.
- Data transfer - Ability to control how the data is transferred, the methods used, and the approval.
Featured Resource
EBook: Data Privacy in Public Cloud
How Fortanix can help meet HIPAA compliance?
Fine-grained access controls for users and data
Only the authorized person is given access to the encryption keys of the sensitive data and only for a specified duration of the business case.
Tamper proof audit logging
All access to personal data is automatically logged in a centrally viewable tamper-proof global audit trail by Fortanix. There is never any dispute about who accessed which data and when.
Tokenize PHI data
Comply with HIPAA regulations by substituting electronically protected health information (ePHI) and non-public personal information (NPPI) using a tokenized value.
Cryptographically enforced policy and auditing
Fortanix manages and enforces security policies including identity verification, data access control, and attestation to ensure the integrity and confidentiality of data, code, and applications. Using these policies, businesses can implement geo-fencing, and compute affinity to support data regulation policies such as HIPAA.
CISOs, CROs, and compliance leaders need to realize that there is no safe harbor for HIPAA compliance and cloud services. Moving protected health information into the cloud requires due diligence, defensible decision making, and the acceptance of risk.
