Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
What is an Agent?What is a Policy?Working with Agents - OverviewWorking with Policies - OverviewHow to Assign a PolicyHow to Bulk Assign a PolicyHow to Assign Tags to an AgentHow to Remove an AgentHow to Bulk Assign Watcher PolicyHow to Work with Activity Watcher Policies
How to Create a Policy
How to Create a New Policy Using the Create Policy WizardAbout Results Storage ModeHow to Create a Policy Using the Wizard - Agent Operations - Advanced OptionsHow to Create a Policy Using the Wizard - Additional SettingsHow to Create a Policy Using the Wizard - Additional Settings - Advanced OptionsHow to Create a Policy Using the Wizard - Local Reporting OptionsWhat Log Settings can affect the HIPAA Audit Trail?How to Create a Policy Using the Wizard - Local Logging OptionsHow to Create a Policy Using the Wizard - Local Logging - Advanced OptionsWhat settings in Spirion Sensitive Data Platform impact HIPAA compliance?What Log Settings can affect the GDPR Audit Trail?What settings in Spirion Sensitive Data Platform impact GDPR Compliance?Can Spirion Sensitive Data Platform integrate with SIEM for Audit Log Management?How do I Configure Agent-side Masking for GDPR?What Log Settings can Affect the PCI DSS Audit Trail?What Log Settings can Affect the FERPA Audit Trail?What Log settings can Affect the CMMC audit trail?What Log Settings can Affect the NIST Audit Trail?
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

What settings in Spirion Sensitive Data Platform impact HIPAA compliance?

In Spirion Sensitive Data Platform, settings that impact HIPAA (Health Insurance Portability and Accountability Act) compliance focus on the discovery, protection, and auditing of Protected Health Information (PHI).

In Spirion Sensitive Data Platform, settings that impact HIPAA (Health Insurance Portability and Accountability Act) compliance focus on the discovery, protection, and auditing of Protected Health Information (PHI).

HIPAA requires "Covered Entities" and "Business Associates" to ensure the confidentiality, integrity, and availability of PHI. Spirion helps automate these requirements through the following configurations:

1. PHI-Specific Data Types (AnyFind®)

Spirion includes built-in AnyFind® definitions specifically designed for healthcare data.

  • Health Info: Enabling this data type allows the agent to find medical-specific identifiers such as ICD-9/10 codes, National Provider Identifiers (NPI), and Medical Record Numbers (MRN).
  • Insurance Numbers: Specifically targets health insurance policy and group numbers.
  • PII Overlap: HIPAA's definition of PHI includes 18 specific identifiers. You must also enable standard types like SSN, Date of Birth, and Address to ensure a complete PHI inventory.

2. Agent-Side Masking (Pre-Shipping Redaction)

To maintain HIPAA's "Minimum Necessary" rule and ensure that PHI is not unnecessarily stored in the SaaS console:

  • Evidence Redaction: Configure the agent to mask/redact PHI matches before they are shipped to the console. This allows administrators to see that a file contains PHI (and where it is) without actually seeing the patient's sensitive medical data in the report.

3. Automated Remediation (Playbooks)

HIPAA requires technical safeguards to protect PHI from unauthorized access.

  • Quarantine: Use Playbooks to automatically move files containing PHI from insecure locations (like a public file share or a laptop's "Downloads" folder) to a secure, encrypted, and restricted storage area.
  • Encryption: Configure remediation actions to encrypt files containing PHI at rest.
  • Shredding: Automatically delete PHI that has exceeded its legal retention period or is stored in high-risk locations.

4. OCR (Optical Character Recognition)

A significant amount of PHI exists in scanned images (e.g., faxed medical records, insurance cards, or handwritten notes saved as PDFs).

  • Enable OCR: Ensure that OCR is enabled in your scan policies. This allows Spirion to "read" text inside images and PDFs, which is critical for healthcare environments where paper-to-digital workflows are common.

5. Role-Based Access Control (RBAC)

HIPAA requires that access to PHI be restricted to only those who need it for their job functions.

  • Console Profiles: Use RBAC to ensure that only authorized Compliance Officers or Security Engineers can view scan results. You can further restrict visibility so that a user only sees results for their specific department or facility.

6. Audit Logging and Reporting

HIPAA requires regular reviews of system activity and audit trails.

  • Audit Logs: The Spirion Console maintains a detailed Audit Log of all user activity, including who viewed a result and what remediation was performed.
  • Heat Maps and Risk Reports: Use Spirion's reporting engine to generate "PHI Heat Maps" that show where your highest concentrations of health data reside, providing the "Risk Analysis" required by the HIPAA Security Rule.

SME Recommendation for HIPAA

  • Prioritize "Data at Rest" on Endpoints: Lost or stolen laptops are a leading cause of HIPAA breaches. Use Spirion to ensure that PHI is never stored locally on unencrypted endpoints.
  • Scan Email and Attachments: PHI frequently "leaks" through internal and external emails. Ensure your scan policies include Exchange/M365 and Gmail targets.
  • Use "Sensitive Data Watcher": Enable real-time monitoring on servers that handle patient data to catch and remediate PHI "sprawl" as it happens.

Summary

Spirion supports HIPAA compliance by providing the accuracy to find complex medical identifiers, the automation to remediate PHI in insecure locations, and the auditing to prove that the organization is actively protecting patient privacy. These settings help healthcare organizations move from "hoping" they are secure to "knowing" they are compliant.

Was this article helpful?

Powered by Product Fruits