HIPAA Compliant Hosting Best Practices
One of the chief goals for the passage of the Health Insurance Portability and Accountability Act (HIPAA) was to help reduce healthcare fraud by mandating standards to safeguard protected health information (PHI). Complying with the requirements set by HIPAA will protect PHI and ensure that proper standards have been set in place for handling it in healthcare treatment or business operations.
In addition to the mandates for handling physical data, the HIPAA Security Rule also contains standards for how electronic patient (ePHI) data should be managed, transmitted and stored. The three safety safeguards are Administrative, Physical, and Technical Safeguards.
- Administrative Safeguards are the policies and procedures that are implemented to protect the sanctity of ePHI and ensure compliance with the Security Rule. These requirements include training employees on HIPAA, as well as restricting access to PHI.
- Physical Safeguards are the policies and procedures for protecting PHI from unauthorized intrusion within the electronic information systems, equipment, and buildings they are housed in.
- HIPAA defines Technical Safeguards as the policies and procedures that determine how that technology protects ePHI as well as control access to that data.
What is HIPAA Compliant Cloud Hosting?
When it comes to hosting PHI, HIPAA mandates that data should be encrypted and secured to prevent unauthorized access, including unauthorized employee access. For a hosting provider to achieve HIPAA compliance, it needs to offer full data security and management.
The challenge to HIPAA compliant cloud hosting is that while the act mandates that data is kept secure, it is rather vague in how that needs to be done. It is up to the individual covered entities and business associates to determine exactly how they need to address the standards laid out by HIPAA. However, the requirements for HIPAA compliant hosting can be fulfilled if an organization meets the standards below.
Firewalls are a fairly broad term that can refer to hardware or software systems that are used to secure a network and control who (or what) is entering and exiting the network.
An organization will need firewalls in place in order to be considered in compliance with HIPAA. Generally, HIPAA compliant hosting will implement particular hardware, software firewalls, and web application level firewalls (WAF) to protect servers from unauthorized users. The reason that hosting infrastructure will feature a combination of firewalls is because they each face their own unique challenges and are frequent targets for intrusions.
VPN is a technology that creates a direct connection through the internet between two devices. If your organization has a need for remote access, you will need to do it through a VPN with a strong encryption.
Multi-Factor Authentication is a security measure that verifies a user's identity by requiring two different forms of credentials. Rather than simply asking for a username and password, multi-factor identification requires another step, such as answering a personal question or entering a code sent to the user’s smartphone.
In order to be compliant, all systems of your organization that transmit or store PHI will need multi-factor authentication (MFA). The good news is that most software applications now have this as a feature, so all you will need to do is activate this from your administrative control panel.
Private Hosting Environment
A private hosting environment means that your servers are solely reserved for your use. If you want to be compliant with the regulations of HIPAA, your server cannot be on shared hosting. In this hosting environment, your data, and the PHI you are responsible for, cannot be accessed by other entities nor can the data be mingled with other apps.
HIPAA requires that PHI is only accessed when needed for business operations or treatment, and only by those with proper authentication.
Secure Socket Layer (SSL) certificates is a software that provides end-to-end encryption for the accessed data and logins used, in order to further protect access to the server. Any domain or subdomain on your website that can access EPHI must be protected by an SSL certificate.
Signed Business Associate Agreements
A Business Associate Agreement (BAA) is a written contract between two parties regarding the responsibilities when sharing PHI that is necessary for business operations. If you allow an outside vendor to access PHI as part of their contracted services with you, you must have a signed BAA with them. A BAA will define the responsibilities and shared liability of both parties to protect PHI.
Off Site Backups
Off site backups are a security measure that means your data is stored at a remote location away from your organization. Offsite backups are simply a distribution method to prevent the complete loss of your PHI, as well as any other data you need to keep secure.
Proper Data Disposal
To be HIPAA compliant, the appropriate methods are necessary for getting rid of old and obsolete hardware. This disposal process usually requires that the data be wiped entirely and the physical component destroyed in a manner that will not allow for the device to be repaired.
Keeping your organization HIPAA compliant can be a real challenge. You need to make certain that your systems are up to date, your staff is regularly trained, and that you have adopted all the right policies and procedures in your organization. Most of all, it takes vigilance. For a list of the best HIPAA compliant hosting providers, please visit our friends over at Web Hosting Professionals.
Hosting your data with an organization that is already in compliance with HIPAA will make your job much easier. Please contact us, if you need more information about HIPAA Compliance.