HIPAA Compliance: Keeping Health Data Secure

Complex Environment

Our personal health information contains some of the most personal and sensitive details about our personal lives. Indeed, this information is so sensitive that the physician-patient privilege has long been enshrined in law.

Yet personal health information (PHI) must flow smoothly through the complex institutional and operating environment of the health care system. It may be transferred between doctors' offices, hospitals and clinics, medical labs, insurance company billing departments, and a host of other entities.

In addition to PHI, medical records contain other sensitive data. This may include addresses, employment data, Social Security numbers, financial data such as credit card numbers, and other information.

Medical data, stripped of personally identifiable information (PII) must also be made available to medical researchers at university, institutional, and government laboratories.

The health care infrastructure is highly fragmented, each entity often having its own procedures for storing and handling data. In addition, all of these data management systems must be developed and tested, using realistic data – yet without compromising PHI.  


HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) has established compliance standards for protecting the integrity and confidentiality of PHI, such as individual medical records.

Traditionally nearly all of this information has been kept on paper, even in the Information Age. But the volume of digital medical data is expanding enormously, with both the federal government and the private sector making a concerted effort to make this information digital, portable, yet secure.

Thus the Health Information Technology for Economic and Clinical Health Act (HITECH Act) has further mandated compliance standards designed to protect PHI across the spectrum of medical information processing and warehousing.

All of this can add up to a daunting security challenge. Fortunately, powerful security tools are available, such as Data Masking.


Protecting Personally Identifiable Information (PII) using Data Masking

A research team from a leading university uses information from a well-known hospital to analyze cancer treatment results. This research involves accessing and distributing some information from patient records.

But HIPAA’s Privacy Rule at 164.502 (b)(1) states, "When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

A Data Masking solution is put in place. It automatically replaces PII with "safe" data in valid format when passing records through the security firewall perimeter. This Data Masking implementation not only makes the hospital's own data operations more secure and compliant, it also permits the university to continue receiving and working with vital statistic about patients and treatments.

Masked data allow the university research team to analyze treatment effectiveness without jeopardizing patient privacy. Both hospital and university meet their compliance requirements.


Holistic Security Approach

At GRT Corporation we take a proactive and holistic approach to security challenges and HIPAA compliance. Our goal is to help you protect PII as well as your other sensitive data, both "in motion" and "at rest." This data must be protected against not only deliberate attack but the many inadvertent causes of data loss and exposure.


Contact us to ease your compliance burden now