Healthcare

HIPAA / HITECH and Proofpoint

One of the goals of the Healthcare Information Portability and Accountability Act, (HIPAA) signed into law in 1996, was to ease the ability for workers to continue their healthcare insurance coverage when moving from one provider to another, for example, when moving between jobs. To ensure the uninterrupted coverage for patients, healthcare organizations needed the ability to share medical records efficiently and reliably.

To facilitate the efficient transfer of records, the bill set forth standardized terminology and Electronic Data Interchange (EDI) code sets. This standardization further pushed the migration of paper-based records to electronic medical records. But the ease of transferring patient information electronically also increased the risk of private data being inadvertently exposed to unauthorized parties.  To address this, legislators developed security mandates to address privacy issues within HIPAA covered entities.

There are three parts of the HIPAA privacy regulations that IT professionals should be focused on:

EDI Rule (162.1000)
Establishes standards for health information technology and the use of electronic code sets. The standardization of healthcare terminology was required to eliminate confusion among providers and insurers.

Security Rule (164.306)
Establishes safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, and transmit.

Privacy Rule (164.502)
Requires healthcare organizations to protect protected health information (PHI) and defines the allowable uses and disclosures of PHI in contrast to “de-identified” health information

HITECH (Healthcare Information Technology for Economic and Clinical Health)
In 2009, as part of an effort to stimulate the U.S. economy, $787 million was allocated with the American Recovery and Reinvestment Act (ARRA), which included legislation to broaden the scope of HIPAA, while also given investigators direct, monetary incentives for levying fines.  The HIPAA-specific aspects of the ARRA are found in the Health Information Technology for Economic and Clinical Health (HITECH).

There are three major areas of change brought up by HITECH regulations are:

  1. Reach
    • Before: Covered Entities: healthcare organizations
    • Now: Covered Entities: expanded to business associates
  2. Notification
    • Before: Loose notification requirements
    • Now: Strict notification requirements – 60 days requirement + public notice on website (and notifying HHS)
  3. Economics
    • Before: 2003-2008 – 31,000 cases reported, no one fined; in 2009, CVS fined $2.25 M
    • Now: Fines up to $1.5 M / year; regulators at HHS now benefit directly from fines levied (significant uptick in fines)

How Proofpoint Addresses HIPAA/HITECH

EDI Rule (162.1000): Proofpoint Enterprise Privacy comes with medical code sets identified by the Department of Health and Human Services (HHS) Version 4010 (as well as the updated Version 5010).

Security Rule (164.306): Proofpoint Enterprise Privacy provides granular policies that allow healthcare organizations and other covered entities to automatically encrypt or block ePHI, as defined by the Privacy Rule.

Privacy Rule (164.502): Proofpoint Enterprise Privacy leverages the code sets as identified by the EDI Rule and combines the detection with the inclusion of an personal identifier such as a Social Security Number (SSN) or medical record number – clearly demarking protected health information (PHI) from de-identifiable health information.

Proofpoint Enterprise Privacy Key Capabilities:

  • Accurate Detection of ePHI vs. de-identified health information: Accurate identification of ePHI is done utilizing a combination of Smart Identifiers along with the code sets identified by the EDI Rule. Since the presence alone of a procedure codes does not constitute ePHI, the ability to associate the presence of a medical procedure along with, for example, a medical record number – matching the definition of ePHI – is critical for accurate detection. De-identified information is thus allowed to be transmitted without encryption.

  • Flexible Policy Management: Granular policies can be set, allowing specific sets of users to send and receive ePHI via a secure email encryption with Proofpoint Encryption, yet prevent other groups of users from sending ePHI altogether.

  • Compliance Dashboard: Compliance officers have a dashboard view of their organization. Incidents that require review are highlighted, with one-click drill-down access to each specific incident that may require intervention or remediation. Reports summarize the number of encrypted messages that have been sent and the type of content that triggered the encryption.

  • Full support for cloud-based email systems (e.g., MS Office 365): Proofpoint Enterprise Privacy is available as a cloud based solution and provides all the same rich functionality available as an on-premise solution. This also seamlessly integrates to any cloud-based email solution, such as Microsoft's Office 365, ensuring HIPAA and HITECH compliance while leveraging the cost benefits of the cloud.

Talk Now
Try it Now
Live Demo

White Paper
Healthcare Email Security Whitepaper HIPAA and BeyondHealthcare Email Security Whitepaper: HIPAA and Beyond Update on Healthcare Security Regulations for Email, 2012
Download Now
©2012 Proofpoint, Inc.