The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), advances the electronic exchange of large amounts of health information and expands the reach of the HIPAA data privacy and security requirements to ensure the security of ePHI. The HIPAA Security Rule covers health plans, healthcare clearinghouses and healthcare providers. As of February 17, 2010, under the HITECH Act, business associates are also required to comply with the security rule requirements. HITECH establishes mandatory federal security breach reporting requirements, along with expanded criminal and civil penalties for non-compliance.

HITECH Breach Notification Requirements

The HITECH Act requires that covered entities and business associates disclose breaches of "unsecured PHI," which is defined as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance.”

The U.S. Department of Health and Human Services guidance states that “encryption and destruction [are] the two technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” In addition, it states that “we do not believe that access controls meet the statutory standard of rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.”

While 98 percent of survey respondents have a policy in place to limit the disclosure of Protected Health Information (PHI), only 52 percent employ encryption technologies to render data unreadable or unusable in the case of unauthorized access.1

Security Management Solutions from Lumension Help Covered Entities and Business Associates Secure ePHI and Ensure HITECH Compliance

Endpoint management and security software from Lumension enables Covered Entities and their Business associates to ensure HITECH compliance and enables the security of confidential electronic medical records. These solutions include:

  • Lumension® Patch and Remediation – Reduces organizational risk and optimizes IT operations through the timely, proactive elimination of OS and application vulnerabilities across all endpoints and servers. Heterogeneous platform and 3rd party vulnerability content support includes Microsoft® Windows®, UNIX®, Linux®, Apple®, Adobe®, Oracle®, Java™ and more.
  • Lumension® Content Wizard – Delivers customized extensibility through wizard-driven and custom scripting tools to take any action on endpoints including deploying and removing software, remediating configurations, performing systems management tasks and delivering custom patches.
  • Lumension® Security Configuration Management – Ensures that endpoints are securely configured and in compliance with industry best practices and regulatory mandates while reducing configuration drift.
  • Lumension® AntiVirus – Provides blacklist protection and removal for all malware including viruses, worms, spyware, Trojans and adware.
  • Lumension® Application Control – Defines and enforces trusted application usage through whitelist policies to ensure that only applications explicitly authorized or trusted are allowed to execute. Includes Advanced Memory Protection to defend against sophisticated memory injection attacks.
  • Lumension® Device Control – Enforces usage policies for device and ports while providing FIPS 140-2 level 2 validated encryption of data on removable media to prevent data loss / theft.
  • Lumension® Disk Encryption – Enables full disk encryption to maximize endpoint security and performance with proven, FIPS 140-2 validated encryption algorithms; and offers encrypted swap and hibernation files for complete security.

Lumension solutions can help Covered Entities and their Business Associates protect against targeted attacks, prevent data loss or theft, enforce security policies, prepare for compliance audits, and lower the cost of IT security.

  1. Computer Sciences’ (CSC) Healthcare Group, 2010