How to Secure Health Care Data to Meet HITECH Act Compliance
Encryption or destruction
In August 2009, the Department of Health and Human Services (HHS) issued a statement specifying only "encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals."
Encryption or destruction are, therefore, the only two means to protect patient health data, thereby eliminating breach notification requirements. That really only leaves encryption as the method to secure data that will be used.
Due to the complexities of managing public-key infrastructure (PKI) and attempts at implementing invasive approaches, encryption has gained a bit of a negative reputation over the past decade. However, this negative association is no longer warranted based on advances in the market. Healthcare organizations should quickly update their encryption knowledge.
Enterprise-grade encryption has experienced significant technical evolution since HIPAA was finalized in 2003. Today, companies can secure information without performance degradation, rewriting applications, or management costs. For HIPAA-covered entities and their business partners who haven't started, immediate focus should be placed on understanding the benefits and challenges of different encryption approaches.
These entities and business partners should be getting updated on the state of the art of encryption today, as well as understand the difference between the management requirements of point (self-contained) encryption solutions versus centrally-managed solutions.