What is HIPAA Compliance?
HIPAA, the Health
Insurance Portability and Accountability Act, sets the standard for protecting
sensitive patient data. Any company that deals with protected health
information (PHI) must ensure that all the required physical, network, and
process security measures are in place and followed.
This includes covered
entities (CE), anyone who provides treatment, payment and operations in
healthcare, and business associates (BA), anyone with access to
patient information and provides support in treatment, payment or operations.
Subcontractors, or business associates of business associates, must also be in
compliance.
The HIPAA
Privacy Rule addresses the saving, accessing and sharing of medical
and personal information of any individual, while the HIPAA Security Rule more
specifically outlines national security standards to protect health data
created, received, maintained or transmitted electronically, also known as
electronic protected health information (ePHI).
If you are hosting
your data with a HIPAA compliant hosting provider, they must
have certain administrative, physical and technical safeguards in place,
according to the U.S. Department of Health and Human Services. The physical and
technical safeguards are most relevant to services provided by your HIPAA
compliant host as listed below, with detail on what constitutes a HIPAA
compliant data center.
- Physical
safeguards include
limited facility access and control, with authorized access in place. All
covered entities, or companies that must be HIPAA compliant, must have
policies about use and access to workstations and electronic media. This
includes transferring, removing, disposing and re-using electronic media
and electronic protected health information (ePHI).
- Technical
safeguards require
access control to allow only the authorized to access electronic protected
health data. Access control includes using unique user IDs, an emergency
access procedure, automatic log off and encryption and decryption.
- Audit reports,
or tracking logs, must be implemented to keep records of activity on
hardware and software. This is especially useful to pinpoint the source or
cause of any security violations.
- Technical
policies should
also cover integrity controls, or measures put in place to confirm that
ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite
backup are key to ensure that any electronic media errors or failures can
be quickly remedied and patient health information can be recovered
accurately and intact.
- Network, or
transmission, security is the
last technical safeguard required of HIPAA compliant hosts to protect
against unauthorized public access of ePHI. This concerns all methods of
transmitting data, whether it be email, Internet, or even over a private
network, such as a private cloud.
============================================================
Physical Security
Physical
security is a basic but critical layer of security your hosting provider must
hold to the highest standards in order to lower your organization's risk, meet
compliance standards, and prevent unauthorized access to IT infrastructure.
The
physical security of our data centers is only one measure of safeguards
independently audited on an ongoing basis with annual reporting to verify we
have successfully implemented strong access control measures to protect our
infrastructure. Physical security means only authorized personnel should have
limited access to locked server racks, suites and cages.
All
of our cloud hosting data centers require two-factor authentication for
building access, including keycard logging and biometric identification. All
visitors are required to sign in, wear badges, and follow proprietary security
procedures. Our environmental controls include 24/7 monitoring, logged
surveillance cameras, and multiple alarm systems. In addition, we make it a
priority to know our clients and to inquire if we see a new face. It's good
business, and good security.
Technical Security
Technical
security, such as encryption, two-factor authentication, and intrusion
protection is a core safeguard of sensitive data. It's important the
application of security technologies falls within the context of a strategic
approach that includes administrative and physical safeguards. Technical safeguards are
not one size fits all. We will work with you to fit the right combination of
security technologies to suit your tolerance for risk, compliance obligations,
and resource demands.
The
technical safeguards below are all included in our security packages to comply
with PCI DSS standards and are a great addition to lower your risk of data loss
if you need to follow HIPPA, SOC 2, or Safe Harbor guidelines.
Administrative Security
Administrative security
includes our independent annual audits, hiring policies, staff training, and
back-office processes that protect sensitive data. Equally important as
ensuring the physical and technical security of your data environment,
administrative security addresses the business-facing concerns of partnering
with a third-party hosting provider.
If you collect,
store or process credit cardholder data, you are required to meet PCI DSS compliance.
With PCI, you are required to ensure third-party/service providers that may
have an impact on the security of the cardholder data environment are able to
meet compliance standards.
If you collect,
store, or process patient health data, you are required to meet HIPAA compliance.
With HIPAA, you are required to comply with the administrative safeguards
within the HIPAA Security Standards that apply to:
- The size, complexity, and capabilities of the
covered entity
- The covered entity's technical infrastructure,
hardware, and software security capabilities
- The costs of security measures
- The probability and criticality of potential
risks to ePHI
We can provide the
administrative security you need in the form of contractual requirements and
staff training as well as documented policies, procedures, and independent
audit reports to lower your organization's risk of outsourcing its IT
infrastructure needs.
Your Complete Security
Toolkit
Protecting
sensitive information and mission-critical applications is an essential and
ongoing effort requiring coordinated partnership and a proactive approach to
reducing risk by all parties.
We employ a
defensive, in-depth approach to security with safeguards that encompass all of
our people, processes, and technologies. We assess our security monitoring,
capabilities, and responses on an ongoing basis to ensure we are keeping up
with the evolving cybersecurity landscape. We proactively turn away prospects
who request resources consistent with spamming or other unethical activities
and work with clients with sensitive data to make sure they are taking adequate
security precautions. Our choice of architecture includes technologies such as
default encryption in our cloud and offsite backup and recovery solutions. This
is consistent with our culture of compliance to keep data safe, secure, and
private.
