The Health Insurance Portability and Accountability Act (HIPAA) provides a set of standards to protect the sensitive data of patients. Companies dealing with Protected Health Information (PHI) must have administrative, physical, and technical security measures to be HIPAA compliant.

Table of contents

What is PHI?

PHI stands for Public Health Information.

HIPAA Privacy Rule provides federal protection for PHI held by covered entities. Privacy Rule also permits disclosure of PHI needed for patient care and other important purposes.

Covered Entities

Covered entities are anyone providing treatment, accepting payments or operating in healthcare, or business associates. These include anyone who has patient information and provides support in treatment, payments, or operations. All covered entities must be HIPAA compliant. Subcontractors and other business associates must also be HIPAA compliant.

To determine if you are covered, follow this link.

General Rules

General Security Rules require covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI.

  • Ensuring confidentiality, integrity, and availability of all PHI covered entities create, receive, maintain or transmit.
  • Identify and protect against reasonably anticipated threats to the security, or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses, or disclosures.
  • Ensure compliance by covered entities’ workforce.

Physical Safeguards

  • Facility Access and Control
    A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
  • Workstation and Device Security
    A covered entity must implement policies and procedures to specify proper use of, and access to, workstations and electronic media. A covered entity must also have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of PHI.

Administrative Safeguards

  • Security Management Process
    A covered entity must identify and analyze potential risks to PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Security Personnel
    A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
  • Information Access Management
    A covered entity must implement policies and procedures for authorizing access to PHI only when such access is appropriate based on the user or recipient’s role.
  • Workforce training and Management
    A covered entity must provide for appropriate authorization and supervision of workforce members who work with PHI.
  • Evaluation
    A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

Technical Safeguards

  • Access Control
    A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls
    A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
  • Integrity Controls
    A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Transmission Controls
    A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

General Data Protection Regulation (GDPR) is the core of Europe’s digital privacy legislation. “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information,” said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed upon in December 2015.

GDPR applies to all companies which collect and process EU resident’s data. Non-EU companies would need to appoint a GDPR representative and be held liable for all fines and sanctions.

Critical Requirements of GDPR are:

  1. Lawful, fair, and transparent processing
  2. Limitation of purpose, data, and storage
    Collect only necessary information and discard any personal information after processing is complete
  3. Data subject rights
    A customer can ask what data an organization has on them and the intended use of the data.
  4. Consent
    Organizations must ask for the consent of the customer if personal data is processed beyond legitimate purposes. The customer can also remove consent anytime they wish.
  5. Personal data breaches
    Based on the severity and regulatory, the customer must be informed within 72 hours of identifying the breach.
  6. Privacy by Design
    Organizations should incorporate organizational and technical mechanisms to protect personal data in the design of new systems and processes
  7. Data Protection Impact Assessment
    Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.
  8. Data transfers
    Organizations have to ensure personal data is protected and GDPR requirements are respected, even if a third party does it
  9. Data Protection Officer
    When there is significant personal data processing in an organization, the organization should assign a Data Protection Officer.
  10. Awareness and training
    Organizations must create awareness among employees about crucial GDPR requirements

To achieve GDPR on the cloud, we need to take these additional steps

  1. Organizations should know the location where the data is stored and processed by CSP
  2. Organizations should know which CSP and cloud apps meet their security standards. Organizations should take adequate security measures to protect personal data from loss, alteration, and unauthorized processing.
  3. Organizations should have a data processing agreement with CSP and cloud apps they shall be using.
  4. Organizations should only collect the necessary data that it would need and should limit the processing of personal data any further.
  5. Organizations should ensure that data processing agreement is respected, and personal data is not used for other purposes by CSP or cloud apps.
  6. Organizations should be able to erase data at will from all data sources in CSP.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk