The requirements for healthcare provides to protect data at rest includes the following two standards:

HIPAA: The US Health Insurance Portability and Accountability Act of 1996

HITECH: Health Information Technology for Economic and Clinical Health Act of 2009; introduced as a part of the American Recovery and Reinvestment Act of 2009

HIPAA protects the security and confidentiality of protective health information. The HIPAA Security Rule requires covered organizations to implement technical safeguards to protect all Electronic Personal Healthcare Information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, auditing and monitoring of ePHI information.

HITECH expands the requirement set, put forth in HIPAA, and requires the disclosure of data breaches of “unprotected” (unencrypted) personal health records (PHR), including those by business associates, vendors and related entities. It promotes the use of electronic health records (EHR) throughout all healthcare systems. HIPAA and HITECH are separate and unrelated laws, but they do reinforce each other regarding the security regulations that surround the both of them.

Be in compliance:

  • Protect ePHI with file/volume encryption and field/column encryption as needed
  • Security mange encryption keys, and access policies with appropriate separation of duties
  • Data is decrypted only for authorized users and processes linked to secure systems
  • Audit and monitor all access to ePHI