HIPAA
The Health Insurance Portability and Accountability Act of 1996 established national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic health information.
This final rule was published on February 20, 2003, and compliance for all covered entities was required by April 20, 2006, but a recent survey by Emmes Group shows that less than 35% of senior
IT and security executives stated that their companies "fully comply" with U.S. privacy regulations, such as HIPAA and Sarbanes-Oxley.
The HIPAA Security Rule in §164.312 defines the technical safeguards required to protect and control access to patient data, but it does not delineate specific technology solutions.
Diplomat Transaction Manager products can help you meet all of the HIPAA technical safeguards that pertain to encryption and secure file transfer. With Diplomat products, you can:
- Easily schedule jobs to encrypt, decrypt, sign and verify files using PGP and securely transfer them using SFTP(SSH) and FTPS(TLS/SSL).
- Protect your file transfers with access control, authentication, and secure configuration features.
- Capture detailed data on each file transfer job in an audit trail database to demonstrate HIPAA compliance.
HIPAA §164.312 Technical Safeguards
Relating to Secure File Transfer Management |
Diplomat Features |
(a)(1) Access Control Allow access only to those persons or software programs that have been granted access rights. |
- Secure configuration
- Control access
- Automate transfers
- Authenticate users/processes
- Archive encrypted files
|
(a)(2)(i) Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity. |
|
(a)(2)(iii) Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
|
(a)(2)(iv) Encryption And Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information. |
- Encrypt files – PGP
- Archive encrypted files
|
(b)(1) Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. |
- Capture audit data
- Monitor file transfers
|
(c)(1) Integrity: Property that data or information have not been altered or destroyed in an unauthorized manner. |
- Sign and verify files – PGP
|
(c)(2) Mechanism To Authenticate Electronic Protected Health Information: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. |
- Sign and verify files – PGP
|
(d) Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. |
- Authenticate users/processes
|
(e)(1) Transmission Security: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. |
|
(e)(2)(i) Integrity Controls: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. |
|
(e)(2)(ii) Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. |
|
|
