By Gil Sever  |  Posted 2010-03-30

HITECH Act and HIPAA Compliance: How to Secure Personal Information

There are new and stricter federal and state requirements in place for protecting customer and patient personal information. Businesses are required to satisfy these regulations and protect the personal information of customers and patients. Businesses can comply with these regulations by using comprehensive data protection (encryption/port and device control) and data loss prevention (DLP) solutions.

However, what is more of a concern for businesses is that both large corporations and small business owners are being held accountable. How does a company justify the cost of using data protection solutions? Before we answer this question, let's take a look at two recent examples of new compliance regulations, one concerning Personal Information (PI) and the second concerning Protected Health Information (PHI). These two examples will provide you with insight into the reasons why it is justified for businesses to implement a data security solution.

First example of compliance

Forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving PI. A national trend by several states has expanded the protection of individual and consumer PI to a new level.

For example, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has proposed new and extensive regulations (201 CMR 17.00: M.G.L. c. 93Hrequiring "any persons who own or license personal information about a resident of the Commonwealth of Massachusetts" to comply with strict guidelines. The rule specifies the encryption of all transmitted records and files containing PI that will travel across public networks, be transmitted wirelessly, or be stored on laptops and other portable devices. The rule specifies that this encryption must be in place on or before March 1, 2010. The regulations also apply to entities outside of Massachusetts but doing business inside the Commonwealth.

What happens if a breach occurs? In Massachusetts, its comprehensive identity theft legislation was signed into law by Governor Deval Patrick on August 3, 2007. This legislation specifies that when a breach occurs (and PI is lost or acquired by an unauthorized person or used for an unauthorized purpose), notification must be sent to those affected, as well as to the attorney general and the director of the OCABR.

How is this enforced? The attorney general may bring an action against a business to remedy any violations. As more states require companies to comply with tight security regulations, companies will be hit with fines if they don't implement solutions that specifically prevent the leakage of sensitive data.

Second Example of Compliance

Second example of compliance

As for the second compliance example, the Department of Health and Human Services (HHS) issued an interim final rule concerning procedures and notification of breaches of unsecured PHI under the Health Insurance Portability and Accountability Act (HIPAA). For breaches that were discovered on or after September 23, 2009, the new rule depicts the process for notifying victims of the breach and also expands the accountability of a data leak to include business associates of the entity holding the PHI.

The rule also clearly specifies what constitutes "protected PHI." In these cases, notification to the affected party is not necessary. If the PHI is encrypted per the guidelines of the National Institute of Standards and Technology (NIST), then notification is not required. If, however, your PHI is unprotected, then the following three actions must occur:

Action No. 1: Within 60 days of the discovery, affected parties must be notified of the breach in clearly understandable language. Furthermore, prominent media must be contacted when over 500 are affected.

Action No. 2: The notification must explain the specifics of what occurred: what type of PHI was leaked and the steps that individuals can take to protect themselves.

Action No. 3: The responsible party must specify the steps they are taking to avoid harm to the individual affected such as contact procedures and information for those needing help.



With the advent of the Health Information Technology for Economic and Clinical Health (HITECH) Act-passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA)-special incentives are accelerating the adoption of electronic record systems and exchanges between providers.

The government is investing $20 billion in health IT infrastructure and Medicare and Medicaid incentives to encourage doctors and hospitals to use the HITECH Act to electronically exchange patient health information.

However, with more electronic records comes more PHI that needs protection. The HITECH Act requires that an individual be notified if there is an unauthorized disclosure or use of his or her health information. This can be a costly process. These new regulations and compliance issues provide businesses with a reason for implementing data security solutions.

According to the Ponemon Institute, data breaches have serious financial consequences on an organization. Costs can also include direct expenses such as engaging forensic experts, outsourced hotline support, free credit monitoring subscriptions, and discounts for future products and services. According to the Ponemon Institute's Fourth Annual U.S. Cost of Data Breach study, the average cost of a data breach rose to $202 from the previous year's $197 per customer record.

In addition, they found that 75 percent of large corporations surveyed have suffered data leakage, with an average cost of $5 million per incident. With these huge sums of money associated with data loss and new regulations being implemented on a regular basis, the need for data protection has become top of mind for businesses. With the implementation of a DLP solution, a business is less likely to be non-compliant and more data will be secure.

Justifying the Cost of Data Protection Solutions

Justifying the cost of data protection solutions

Back to our original question: how does a company justify the cost of data protection solutions? In analyzing a regional hospital with 500 beds, 1,000 employees and 200 laptops, the hospital serves a population of 100,000 and has one laptop stolen every six months, on average.

If 1,000 patient records were located on the stolen laptop and the hospital had to notify each patient at a cost of $202 per record, the hospital would be better off paying $4,000 for the encryption of the laptops to avoid spending $202,000 on the disclosure.

As the workforce continues to rely and expand its use of mobile devices (that is, smartphones and laptops), opportunity for data leakage of sensitive information increases. Let's explore a real-life example: a business executive using his laptop from an airport lounge is communicating via Skype to his family and child's soccer team coach. He accidently attaches a customer list instead of the soccer team registration. An effective data protection system will warn and block the transfer.

This type of accident is fairly common. A recent report from the Ponemon Institute suggests that the most common breaches (64 percent) occur from company insiders. In its January 2009 study, they found more than 88 percent of all cases involved insider negligence.

A comprehensive data protection solution can lower these statistics in several ways. First, it can assist organizations in identifying sources of unsecured PHI and PI. For example, advanced discovery tools are capable of quickly locating sensitive data no matter where it resides on your system. Second, an effective data protection and leakage prevention system comes bundled with extensive, ready-to-use templates containing policies that will provide effective protection and encryption with little to no user intervention. The more automatic and transparent the system, the better.

Educating and Training Users

Educating and training users

Since the majority of leaks occur from an employee's lack of awareness, educating users is a top priority. Education may occur in the traditional sense; however, a data protection system that includes sophisticated dialog prompts provides "on the job training" of compliance and security policies. This unanticipated side benefit can both prevent a breach as well as train users. If an employee is about to send sensitive data unknowingly, he might be notified through a message prompt.

When data is appropriately protected, encrypted and secured, federal and state breach notifications can be avoided. In the long run, organizations can save a significant amount of money and avoid embarrassment and loss of public/consumer trust by deploying the right data protection and leakage prevention solution. Look for a comprehensive solution that is transparent and provides the right balance between productivity and protection.

The goal for all holders of sensitive data should be to pay a few dollars now to avoid paying much, much more later. Dollars, customers, credibility and potential lawsuits are all at stake.

Gil Sever is Founder and Chief Executive Officer of Safend. Prior to founding Safend, Gil held several senior-level positions within the security industry. Gil served as COO of ECTEL, a leading provider of monitoring solutions for IP, telephony and cellular networks. He also held the position of Israel Site Manager and VP of R&D for Aeroscout (formerly Bluesoft), a company focusing on WiFi and Bluetooth location finding.

Prior to his positions in the private sector, Gil served 18 years in the Israeli Defense Forces where he managed strategic planning and large-scale R&D groups and projects in the areas of communications, communication protocols and data security. Gil has a Bachelor of Science degree in Electrical Engineering from the Technion (Israel Institute of Technology) and a Master of Science degree in Electrical Engineering from Tel Aviv University. He can be reached at

Rocket Fuel