Skip to content

Your Enterprise Cloud Data Protection Platform

StratoKey's Cloud Data Protection (CDP) Platform helps provide enterprises the security controls needed to keep data safe and compliant in the cloud.

Cloud Data Protection Platform

Cloud Compliance Manager

Compliance management and reporting for HIPAA, GDPR, ITAR, CMMC, NIST 800-53 & 171 and any other regulation or standard.

When You Can't Compromise on Security

StratoKey helps enterprises meet evolving security and compliance requirements with encryption, tokenization, and access controls across SaaS, APIs, and cloud.

There is a new CMMC Style Cybersecurity Guide for GSA: CIO-IT Security-21-112
GSA’s CMMC-LIKE GUIDE

StratoKey

StratoKey has secured sensitive cloud data for clients globally since 2014. Trusted for when you cannot compromise on security, it’s a mission-critical platform used daily for reliable data protection.

Company

Connect

The CDP Platform Now Secures NetSuite SuiteProject Pro

Secure-suiteprojects-pro-with-encryption

 

SOLUTIONS

HIPAA Compliance Solutions

StratoKey empowers organizations to meet the stringent requirements of HIPAA compliance when storing, processing, or sharing Protected Health Information (PHI) in cloud and SaaS environments. With StratoKey’s Cloud Data Protection (CDP) Platform, sensitive data is seamlessly encrypted before it ever leaves your organization’s control. This proactive security approach, combined with comprehensive audit and access controls, means that PHI remains protected throughout its lifecycle in the cloud, safeguarding patient privacy, reducing regulatory risk, mitigating breach risk, and providing HIPAA "Safe Harbor".

GET HIPAA COMPLIANCE GUIDE

HIPAA Compliance Guide

Please provide your details so we can email you the guide.

What is HIPAA & Protected Health Information?

The Health Insurance Portability and Accountability Act (HIPAA), signed into law in 1996, is a U.S. federal regulation designed to improve healthcare system efficiency while protecting sensitive patient information. HIPAA's Privacy Rule and Security Rule set national standards for the privacy and security of PHI, requiring organizations to implement administrative, physical, and technical safeguards to prevent unauthorized access, breaches, or data loss

What are HIPAA Regulated Entities?

HIPAA Rules apply to covered entities and business associates.

  • Health Care Providers
  • Health Plans
  • Health Care Clearinghouses
  • HIPAA also regulates "business associates", third-party vendors and service providers that handle PHI on behalf of covered entities.

Information Protected Under HIPAA

The HIPAA Privacy Rule pays particular attention to personal "identifiers". These are data fields that can be used to relate healthcare information to an individual. All identifiers must be protected under HIPAA. Title 45, Part C, 164.514 of the Privacy Rule describes 18 individual data identifiers. Regulated organizations should consider end-to-end encryption for these identifiers.

hipaa-identifiers-2

Encryption, A Technical Safeguard

The HIPAA Security Rule, details specific safeguards to protect ePHI. 45 CFR § 164.312. Technical Safeguards specify various technical measures that are addressable or required to meet the standard. Encryption is defined within this specification as an "addressable" safeguard. It is important to remember, that encryption is still recommended by the HHS and will likely become "required".

"...would be reasonable and appropriate for regulated entities to implement a mechanism to encrypt ePHI, and regulated entities should already have done so in most circumstances."
 - Department of Health and Human Services

Update to HIPAA Security Rule Making Encryption a Required Safeguard

The U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule. These changes aim to address modern cybersecurity threats and strengthen protections for ePHI.

A key update is the shift in encryption standards: encryption of ePHI, once merely "addressable," would now be explicitly "required" both in transit and at rest.

Read more: Encryption of ePHI, a Required Safeguard for HIPAA Compliance

StratoKey Helps You With Encryption Safe Harbor

StratoKey can assist in both HIPAA Encryption Safe Harbor by rendering PHI as 
unusable, unreadable, or indecipherable to unauthorized individuals, and the HIPAA Safe Harbor Law

Encryption Safe Harbor

Under the HITECH Act, HHS offers a “safe harbor” for encrypted ePHI, meaning breach notification is not required if data is rendered unusable, unreadable, or indecipherable to unauthorized individuals.

Why SaaS Provider Encryption May Fall Short

Many SaaS providers’ native encryption offers fall short of HHS requirements, as keys are often stored with the data or the encryption in use is not standards compliant (FIPS validated). StratoKey utilizes FIPS validated libraries to encrypt ePHI and stores keys independently, fully aligning with HIPAA’s safe harbor standards.

Cybersecurity Safe Harbor

HIPAA Safe Harbor Law (HR 7898, 2021) encourages organizations to adopt “recognized security practices”, offering potential penalty reductions if these practices are in place for at least 12 months.

What Counts as Recognized Security Practices? 

Recognized security practices are those developed under NIST and section 405(d) of the Cybersecurity Act of 2015. Encryption is recognized as a key security practice under these frameworks. StratoKey aligns with NIST SP 800-53 and 800-171.

StratoKey is Your Complete Cloud Data Protection Stack to Help Meet HIPAA Technical Safeguards

StratoKey helps implement Technical Safeguards specified under Section 164.312 for the protection
of ePHI. These extend beyond encryption to encompass access control, monitoring, audit capabilities,
security analysis, and defensive security policies.

End-End Encryption

Protects ePHI using FIPS-validated encryption before data leaves your control, helping secure its entire lifecycle.

Access Control 

Enforces user identification, group policies, and advanced controls like device profiling and security analysis.

Audit Controls

Logs every user interaction with PHI, supporting HIPAA’s audit requirements and enabling rapid incident response.

Monitoring & Policy Enforcement

Delivers analytics and immediate policy enforcement to detect and prevent unauthorized access or data misuse.

StratoKey Provides Clear Benefits for HIPAA-Regulated Organizations

  • Future-proof regulatory compliance by meeting the soon-to-be "required" encryption standard.
  • Achieve HIPAA Safe Harbor by ensuring that PHI is encrypted in transit and at rest (entire lifecycle).
  • Reduce third-party vendor risk through comprehensive safeguards aligned with the shared responsibility model.
  • Control how you manage encryption keys and separate encryption keys from data (not all native SaaS encryption solutions provide this).
  • Mitigate third-party breach risk with encryption managed at arms-length from SaaS in use.
  • Meet a wide range of technical safeguards with audit capabilities, access management, monitoring and security controls.
  • Secure PHI across popular applications (NetSuite, Salesforce, Pipedrive etc.) and maintain app functionality.
  • Meet regulatory requirements for the storage and processing of health data across jurisdictions with on-shoring solutions.

Why You Should Prioritize Encryption With StratoKey

Encryption Security Rule Update

Encryption is expected to become a required safeguard under the proposed HIPAA Security Rule update. This means it becomes a mandatory technical safeguard for PHI and fundamental to HIPAA compliance.

Encryption Safe Harbor

Encrypting PHI offers a “safe harbor” from breach notifications and helps avoid penalties. Encryption is an approved method to render PHI unusable, unreadable, or indecipherable to unauthorized individuals.

Shared Responsibility Model

There are increasing cybersecurity breaches. Recent breaches like the Change Healthcare breach illustrate both the covered entity and the business associate share responsibility. Even if the fault lies with the vendor the healthcare organizations remain accountable for protecting their data.

StratoKey
Solution

StratoKey encrypts PHI before it enters the cloud, enables the separation of encryption keys, and offers detailed visibility into PHI access. These features not only support HIPAA compliance and "Safe Harbor" but also minimize the impact of potential breaches and enhance forensic oversight.

Meet HIPAA Compliance Requirements Across Your Cloud Applications

StratoKey is application agnostic and can be configured to your organization's specific needs and compliance requirements.  StratoKey offers support for integrations including, NetSuite, NetSuite SuiteProjects Pro, Salesforce, Pipedrive, Jira, Confluence, Slack and ServiceNow.

StratoKey HIPAA Guide r008(1)

Ready to Secure Your
HIPAA Regulated Data?

Our team has years of experience helping HIPAA-regulated organizations secure their PHI in the cloud. Get our HIPAA Guide for an in-depth look at how StratoKey can help - or simply contact us with your inquiry.

 

get guide

Download the HIPAA Guide
contact us

Contact Us About Securing Your HIPAA Regulated Data