Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

HIPAA Compliance

Note: HIPAA policy framework requires Enterprise Edition.

The Health Insurance Portability and Accountability Act (HIPAA) policy framework detects Protected Health Information (PHI) exposure and generates violations according to HIPAA Security Rule requirements.

Overview

HIPAA establishes standards for protecting sensitive patient health information. Aquilon DLP’s HIPAA policy helps covered entities and business associates comply with:

  • §164.306 - Security standards: General rules
  • §164.312 - Technical safeguards
  • §164.308 - Administrative safeguards

Protected Health Information (PHI)

The HIPAA policy detects the following PHI categories:

PHI CategoryScannersSeverity
Social Security NumbersssnCritical
Medical Record Numbersmedical_record_numberCritical
Health Plan IDshealth_plan_idCritical
National Provider IDs (NPI)npiHigh
Date of Birthdate_of_birthHigh
Email (patient contact)emailMedium
Phone NumbersphoneMedium
AddressesaddressMedium

International Patient Populations

Healthcare organizations serving international patients may encounter national identification numbers from other countries. Aquilon DLP includes 28 country-specific national ID scanners for comprehensive coverage.

Common International IDs in Healthcare

RegionScannersUse Case
Europefrance_nir, germany_steurid, uk_nino, + 11 moreEU/EEA patients, medical tourism
Americasbrazil_cpf, canada_sin, + 2 moreCross-border healthcare
Asia-Pacificindia_aadhaar, japan_my_number, + 6 moreInternational patients

Note: While SSN remains the primary identifier for US healthcare, organizations with international patient populations should enable additional national ID scanners. All scanners use country-specific checksum validation.

See Policy Frameworks for the complete list of all 28 national ID scanners.

Scanner Mappings

Critical Severity

These findings always generate Critical violations under HIPAA:

  • SSN: Direct patient identifier
  • Medical Record Number: Unique patient identifier
  • Health Plan Beneficiary Number: Insurance identifier

High Severity

  • NPI: Healthcare provider identifier (may indicate patient-provider relationship)
  • Date of Birth: Combined with other data enables patient identification
  • Biometric Data: Fingerprints, retinal scans, voice prints

Medium Severity

  • Contact Information: Email, phone when in healthcare details
  • Geographic Data: Address, ZIP codes (smaller than state)

Configuration

Basic Configuration

[policies]
enabled_policies = ["hipaa"]

Advanced Configuration

[policies.policy_configs.hipaa]
settings = { covered_entity = "true", confidence_threshold = "0.8", sensitivity_level = "3" }

Configuration Options

OptionDescriptionDefault
covered_entityIndicates organization is a HIPAA covered entityfalse
confidence_thresholdMinimum scanner confidence (0.0-1.0)0.7
sensitivity_levelSeverity multiplier (1=low, 2=medium, 3=high)2

Context Detection

The HIPAA policy elevates severity when healthcare details is detected:

Healthcare Context Keywords

  • Medical terms: patient, diagnosis, prescription, treatment
  • Healthcare entities: hospital, clinic, pharmacy, physician
  • Insurance terms: claim, coverage, beneficiary, EOB

Example

Finding: SSN "122-15-6289"
Context: "Patient record for treatment on 03/15/2024"

Result: Severity elevated from High → Critical due to healthcare details

Violation Metadata

Each HIPAA violation includes:

{
  "policy": "HIPAA",
  "severity": "critical",
  "phi_category": "ssn",
  "safeguard": "technical",
  "requirement": "164.312(a)(1)",
  "breach_notification_required": true
}

Compliance Reporting

Query PHI Exposures

-- All PHI exposures requiring breach notification
SELECT path, scanner, severity, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'HIPAA'
  AND severity = 'critical';

-- PHI by category
SELECT scanner, COUNT(*) as count
FROM aquilon_dlp_alerts
WHERE policy = 'HIPAA'
GROUP BY scanner
ORDER BY count DESC;

Breach Risk Assessment

Under HIPAA Breach Notification Rule, unauthorized access to PHI requires risk assessment considering:

  1. Nature and extent of PHI involved
  2. Unauthorized person who accessed PHI
  3. Whether PHI was actually viewed or acquired
  4. Extent to which risk has been mitigated

Aquilon DLP findings provide evidence for factors 1 and 4.

Best Practices

Monitoring Strategy

  1. Alert on Critical immediately: SSN, MRN, Health Plan IDs
  2. Daily review of High: NPI, DOB exposures
  3. Weekly audit of Medium: Contact information in healthcare contexts

Remediation Workflow

  1. Identify: Aquilon DLP detects PHI exposure
  2. Assess: Determine if breach occurred
  3. Contain: Remove or encrypt exposed data
  4. Document: Record incident for compliance
  5. Notify: Follow breach notification requirements if applicable

Integration with Incident Response

Forward HIPAA critical alerts to your incident response system:

-- Real-time HIPAA breach candidates
SELECT * FROM aquilon_dlp_alerts
WHERE policy = 'HIPAA'
  AND severity = 'critical'
  AND timestamp > datetime('now', '-1 hour');