While the Health Insurance Portability and Accountability Act (HIPAA) is more than 20 years old, many organizations still struggle with compliance. HIPAA outlines data privacy and security controls that aim to safeguard the electronic protected health information (ePHI) at the core of the enterprise.
One Technical Safeguard called out in HIPAA Security Rule is Access Control, which includes the encryption of ePHI. Although still listed as an ‘addressable’ control, one can easily make the argument that data encryption should be required, and the compliance and security payoffs are immediate. A well-designed access control strategy puts the organization in a proactive position before negative events occur, rather than waiting to react to them.