HITECH Act and HIPAA Compliance: How to Secure Personal Information

Over the past four years, more than 250 million customer and patient records containing sensitive personal information have been lost or stolen. New and stricter federal and state legislation is mandating the protection of customer and patient personal information. Here, Knowledge Center contributor Gil Sever explains how to comply with the HITECH Act and HIPAA by implementing comprehensive data protection and data loss prevention solutions.


There are new and stricter federal and state requirements in place for protecting customer and patient personal information. Businesses are required to satisfy these regulations and protect the personal information of customers and patients. Businesses can comply with these regulations by using comprehensive data protection (encryption/port and device control) and data loss prevention (DLP) solutions.

However, what is more of a concern for businesses is that both large corporations and small business owners are being held accountable. How does a company justify the cost of using data protection solutions? Before we answer this question, let's take a look at two recent examples of new compliance regulations, one concerning Personal Information (PI) and the second concerning Protected Health Information (PHI). These two examples will provide you with insight into the reasons why it is justified for businesses to implement a data security solution.

First example of compliance

Forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving PI. A national trend by several states has expanded the protection of individual and consumer PI to a new level.

For example, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has proposed new and extensive regulations (201 CMR 17.00: M.G.L. c. 93H) requiring "any persons who own or license personal information about a resident of the Commonwealth of Massachusetts" to comply with strict guidelines. The rule specifies the encryption of all transmitted records and files containing PI that will travel across public networks, be transmitted wirelessly, or be stored on laptops and other portable devices. The rule specifies that this encryption must be in place on or before March 1, 2010. The regulations also apply to entities outside of Massachusetts but doing business inside the Commonwealth.

What happens if a breach occurs? In Massachusetts, its comprehensive identity theft legislation was signed into law by Governor Deval Patrick on August 3, 2007. This legislation specifies that when a breach occurs (and PI is lost or acquired by an unauthorized person or used for an unauthorized purpose), notification must be sent to those affected, as well as to the attorney general and the director of the OCABR.

How is this enforced? The attorney general may bring an action against a business to remedy any violations. As more states require companies to comply with tight security regulations, companies will be hit with fines if they don't implement solutions that specifically prevent the leakage of sensitive data.