HIPAA Compliance

HIPAA Compliance

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established a set of security standards used to protect the confidentiality of Personal Health Information (PHI). Recent regulations and mandates from the Department of Health and Human Services apply to HIPAA covered entities and any of their business associates that “access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI.”

In addition to protecting medical records, prescription details, and personal information, the standards outlined in HIPAA are meant to improve the efficiency and effectiveness of the U.S. healthcare system by encouraging the use of electronic data exchange. To learn more about HIPAA and other health information privacy requirements, please visit: http://www.hhs.gov/ocr/privacy/

How does HIPAA affect my organization?

To improve the efficiency and effectiveness of the healthcare industry, vast amounts of patient information are being handled electronically. Therefore, there is an increased need for stronger data security. Patient information privacy laws, such as HIPAA, require that Protected Health Information (PHI) remain secure at all times. If your organization is responsible for handling any amount of PHI, you may be required to meet HIPAA compliance requirements. Or, if you are an associate of a HIPAA-covered entity, the recent Health Information Technology for Economic and Clinical Health (HITECH) Act applies to you; learn more about the HITECH Act by clicking here.

SecureZIP offers government agencies the ability to use validated cryptographic modules for protecting data when run in FIPS mode.

FIPS Validation Cert # FIPS Level
Win2K 103 140-1*
WinXP 238 140-1*
WinXP w/SP3 989 140-2
Vista 893/1002 140-2
Windows 7 1330 140-2
Windows 8 1894 140-2
Win2003 382 140-2
Win2008 1010 140-2
Win2008 R2 1337 140-2
Win2008/2012 Server 1747 140-2
Win2012 Server 1894 140-2
UNIX/Linux 918 140-2
Java JRE 6 1502 140-2
Android (coming soon) 1502 140-2
iOS 1963 140-2
OS X 1964 140-2
Z900, z800 118 140-1*
Z990, z890 524 140-2
Z990, z890, Z9EC, z9BC, z10EC, z10BC, 661 140-2
Z990, z890, Z9EC, z9BC, z10EC, z10BC,z196,z114,zEC12 1505 140-2

*click here to view NIST's position on FIPS 140-1

How does SecureZIP help meet HIPAA compliance requirements?

SecureZIP by PKWARE reduces the risk of data being lost or stolen as it is transferred amongst doctors’ offices, labs, hospitals, and billing departments. It fully addresses HIPAA compliance by encrypting data to ensure it remains protected at its origin or destination, both in movement or storage. Because SecureZIP HIPAA compliance software encrypts the data itself rather than the storage device, it remains protected even if placed on removable media that is lost or stolen during transit.

Customer Success Story: HIPAA Compliance Case Study

The Centers for Medicare & Medicaid Services (CMS), who enforces HIPAA regulations, uses SecureZIP PartnerLink not only to meet compliance requirements, but also to securely exchange sensitive information with hundreds of external partners, including other federal/state/local government agencies, research labs, universities, and large corporations. To learn more about how CMS is leveraging SecureZIP PartnerLink, please download the Case Study: CMS Data-Sharing Project Highlights the Benefits of a Multi-platform Approach.

In addition to meeting the standards outlined within HIPAA, SecureZIP helps solve several other data security issues that government agencies are facing. To learn more about how SecureZIP can help solve specific government data security issues and to access case studies and other resources, click here.

FIPS 140-1

FIPS 140-1 validated products can be used to meet FIPS compliance requirements. The status of FIPS 140-1 is documented as follows by the NIST:

FIPS 140-1 became a mandatory standard for the protection of sensitive data when the Secretary of Commerce signed the standard on January 11, 1994. FIPS 140-2 supercedes FIPS 140-1 and the standard was signed on May 25, 2001. The Implementation Schedule statement from FIPS 140-2 (page v):

14. Implementation Schedule. This standard (FIPS 140-2) becomes effective six months after approval by the Secretary of Commerce. A transition period from November 25, 2001 until six months after the effective date is provided to enable all agencies to develop plans for the acquisition of products that are compliant with FIPS 140-2. Agencies may retain and use FIPS 140-1 validated products that have been purchased before the end of the transition period. After the transition period, modules will no longer be tested against the FIPS 140-1 requirements. After the transition period, all previous validations against FIPS 140-1 will still be recognized.

The CMVP posted a clarification to the implemenation schedule on February 04, 2002 which was posted in the CMVP FAQ Section 1 Overview:

FIPS 140-2, Security Requirements for Cryptographic Modules, was released on May 25, 2001 and supersedes FIPS 140-1. However, agencies may continue to purchase, retain and use FIPS 140-1 validated modules after May 25, 2002. Modules validated as conforming to FIPS 140-1 and FIPS 140-2 are accepted by the Federal Agencies of both countries for the protection of sensitive information. However, a federal agency may choose to only procure a FIPS 140-2 validated module.

More information on this topic is available directly from the NIST at http://csrc.nist.gov/groups/STM/cmvp/index.html#04.