HIPAA Compliance and Tokenization

Tokenization is well-known in the data security world for being a low-cost, high-benefit solution for problems with credit card security and PCI compliance. However, outside of the credit card sphere, tokenization is not nearly as commonly known or used. Today we’re going to attempt to break that paradigm by discussing how tokenization can be used in an entirely different way - to secure electronic protected health information (ePHI).

What HIPAA Compliance Means

In many ways, HIPAA compliance is similar to PCI compliance. HIPAA, or the Health Insurance Portability and Accountability Act, mandates that all personal health data and identifying information must be secured and transmitted according to certain rules and standards. The penalties for violating these standards can be stiff - much like with PCI. And making sure that your business is fully compliant can entail long and costly audits - again like ensuring PCI compliance.

The main difference between PCI compliance and HIPAA compliance is the much greater scope of HIPAA data that must be protected. The PCI security council mandates that only the actual credit card numbers and other vital transaction data must be secured to achieve compliance.

In contrast, HIPAA data is enormously complex - it involves names, addresses, insurance policy numbers and rates, medical history data, doctor and hospital information, and far more beyond. Keeping this information secure is a much more challenging proposition.

Another hurdle to ensuring full HIPAA compliance is the mandate that only the minimum information necessary to conduct business be shared among different parties. In other words, if a doctor needs access to a patient’s medical history, looking up his file shouldn’t pull up the whole file - just the part that he needs. And when you consider that different groups - like insurers, doctors, hospital billing departments, and patients themselves - will all need different sets of data, the difficulty of keeping it all secure becomes clear.

Tokenization and HIPAA

So, how do you manage this security problem? Traditionally the answer has been a combination of encryption and the honor system. Many hospitals and insurers use encrypted files to protect sensitive data, but encryption systems are expensive, slow, and require the management of huge numbers of keys to access the data.

And while we often trust doctors and insurance companies to be responsible with our information, time has shown that maybe we shouldn’t: cases abound of doctors, pharmacists and hospital employees accessing information they shouldn’t or leaving records in easily accessible locations.

Tokenization presents a solution to many of these problems. There are several major benefits to tokenization over other data security methods when it comes to HIPAA compliance, but there are two big ones worth discussion: token integration, and ease of management.

Token integration simply means that a tokenized solution is easy to implement in your current data environment. Because tokens are simply random data that represents a sensitive value, the token can take almost any form. For instance, if you need a system to secure social security numbers, you can implement a tokenized solution that replaces all the real SSNs with numbers that look and function just like them in your record keeping system. However, these new numbers aren’t real SSNs, and don’t carry data compliance obligations. They just look and act similar.

Because tokens can be integrated into your environment with no fuss, the changes you must make to your systems to implement tokenization are minimal. That means less downtime and less hassle for you and your team.

The other way tokenization can improve HIPAA security is by making easier to manage who has access to different sets of data. Because any data can be tokenized, it’s easy to create token sets for entire fields of medical data. And that data can only be accessed by someone who has the correct token - much like encryption can only be opened by someone who has the key. The difference, though, is that encrypted data can be cracked and exploited, whereas tokens can’t be reverse-engineered.

Because of this, it’s easy to control who has access to different pieces of data. If a pharmacist needs to use medical records, they return the token for that information, but not the tokens for other sensitive data. An insurance company could access insurance info without looking at a patient’s history. Tokenization, in essence, allows you to compartmentalize your data and manage it across different users simply and effectively.

HIPAA compliance might seem burdensome, but with the right security partner it doesn’t have to be. TokenEx is an enterprise data security company that provides scalable, intuitive tokenization systems to business clients of all types and sizes. If you would like to learn more about our systems and how they can help you manage your compliance issues, contact us today or visit us online.

Topic(s): data security , HIPAA , tokenization

Keep Up With Our PCI & Privacy Blog