Maintain HIPAA compliance with Grid-Tools test data management solutions

PCI DSS compliance
HIPAA compliance
GLBA compliance
The Data Protection Act

"GT Datamaker is installed inside a major UK government department that cannot afford to be seen to flout the data protection laws. If you have similar concerns, you should contact Grid-Tools to find out more."

Bloor (Independent IT research analyst)

HIPAA data compliance - test data management techniques

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. The Act was created to improve access to health insurance by encouraging the widespread use of electronic data interchange, reducing abuse and fraud and lowering the overall cost of healthcare in the United States. As a key provision, the Security Rule requires organizations to use appropriate measures and safeguards to protect the confidentiality, integrity, and availability of personally identifiable health information with regards to an individual’s physical or mental health or condition, their provision of health care, and their payment for that care.

Key HIPAA data requirements

The HIPAA regulation requires the securing of all production and non-production databases because it requires all patient healthcare information to be protected when electronically stored, maintained or transmitted. It also mandates that each user be uniquely identified before being granted access to confidential information. The 1996 HIPAA law focuses on protecting health information. The law exists to standardize communication between health care providers and health insurers and to protect the privacy and security of protected health information (PHI) on all systems. All PHI-related data residing on any database (i.e. production and non-production, backups, or transmitted over the network) requires protection. The key requirements from a database point of view are in Section 164.308—administrative safeguards—and Section 164.312—technical safeguards. To meet HIPAA compliance requirements, like any other compliance, enterprises should first establish strong AAA DBMS security, besides having strong policies and procedures. In addition, enterprises should look at data-at-rest and data-in-motion encryption as well as data auditing solutions. Further, enterprises should look at data masking or data-generation tools to protect private data in test and development environments.

The Privacy Rule at 164.502 (b)(1) states "When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

Thus, in using "test" data or sending test data to another covered entity, the identity of the individual is not necessary to use. Care should be taken to de-identify the data so that individuals identities are not revealed to program testers or other test staff.

Who is Impacted by HIPAA?

The HIPAA Security Rule applies to health plans which include health, dental, vision and prescription drug insurers, health care clearinghouses, and to any health care provider that transmits health information in electronic form.

Consequences for HIPAA Data Breaches

Organizations that do not comply with the Security Rule face civil and criminal penalties that range from fines to prison terms. Other unfavourable consequences for not protecting identifiable health information can include negative publicity, lost customers, loss of business partners, and legal liability as attorneys use HIPAA requirements as the basis for filing civil suits against non-compliant organizations.

Grid-Tools – the leader in test data management solutions for healthcare firms

Grid-Tools has experience in working with some of the top healthcare institutions in the world on test data management initiatives. With Grid-Tools, organizations are able to implement best practice techniques, save time and money and develop better testing and development results and standards. Grid-Tools’ success with healthcare organizations stems from a unique approach, a niche solution and an unparalleled track-record.

Your organization’s test data management initiatives are likely to focus on the generation or creation of compliant test or development data, and the management of this data. Many healthcare organizations are looking to share and manipulate production-like data across their test and development teams in highly complex environments.

Due to recent regulatory initiatives globally, organizations are unable to use “live” data in the creation of non-production scenarios. Likewise, in order to reduce complexity, reduce storage costs and increase productivity, many organizations are looking for alternatives to using and manipulating copies of large production databases in non-production environments.

Grid-Tools offers the flexibility to create data which models the referential and relational integrity of production environments or mask and de-identify production data; providing your organization with rich, compliant data sets. The result is less data, but more variety. This offers a flexible solution and a strategic method, with the data transforming into a reusable asset. Read more about our test data management solution, GT Datamaker™, here.

The creation of synthetic or masked data targets the problem of editing, hacking and manipulating production data; reducing test and development cycles, reducing disk space and saving time and money. It also eliminates the need to manually ensure your company’s healthcare records remain confidential. The end product is completely compliant with HIPAA regulations.

Back to the top