Healthcare – HIPAA & Internal Privacy Policy

Company Profile

Major healthcare enterprise, providing and coordinating services to government sponsored programs. Contracts with numerous physicians, hospitals and Federally Qualified Health Centers (FQHCs) across many states in the USA.

Business Problem

The company needed to improve patient outcomes to reduce overall cost per member utilizing predictive analytics.

However, governance policies dictated that analysts should not have access to sensitive Protected Health Information (PHI) and Personally Identifiable Information (PII). This meant protecting data in Teradata, Oracle and SQL Server, as well as applications and files.

In addition, recent security breaches by other companies in the industry drove a mandate to review and secure sensitive data from external threats and unauthorized access.

Protegrity Solution

Protegrity implemented Database Protectors to de-identify PHI and PII data across Teradata, Oracle, and SQL Server, applications, and files.

Fine grained data security was applied utilizing Protegrity Vaultless Tokenization (PVT), and is centrally managed by the Protegrity Enterprise Security Administrator (ESA).

PVT replaces sensitive data with secure tokens without requiring changes to existing tables or applications. This method also preserves data types and lengths, and protects only the sensitive data, allowing for predictive analytics without divulging protected information to analysts.

ESA provides a separation of duties, which allows the security team to prevent access to sensitive data from data analysts, and defines alerts and auditing on the entire data security system.

Requirements & Challenges

  • Protect PHI and PII according to HIPAA & internal governance requirements
  • De-identify data while permitting unhindered predictive analytics on the data
  • Protect sensitive data at the field level, within Teradata, Oracle and SQL Server
  • Satisfy security of data in use, in transit, and at rest
  • Institute separation of duties to isolate security administration to security team

Results & Benefits

  • Sensitive patient data protected with PVT, satisfying privacy requirements
  • Enabled secure predictive analytics, improving patient outcomes and reducing cost per member
  • Heterogeneous support across Teradata, Oracle and SQL Server
  • Centralized policy-based access controls, monitoring, and reporting
  • No changes to existing tables or applications
  • Fast implementation and dedicated staff for case management