In order to work with many healthcare organizations, hosting services and data centers must have the knowledge, resources, and equipment to exhibit adherence with federal regulations. Specifically, their environment and tools (hardware and software), as well as their processes, must meet the parameters of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Typically systems that are fully legal regarding federal compliance rules are referred to as “HIPAA compliant.”
The healthcare laws are intended to protect the privacy and security of American patients. If a healthcare organization (provider, plan, or informational clearinghouse) does not abide by the legislation – including the Privacy Rule and Security Rule of HIPAA’s Title II (the most broadly applicable section of the Act), they can receive huge fines: as much as $50,000 per violation, with an annual maximum penalty of $1.5 million per organization.
Some of the typical questions asked by those in search of IT solutions for their healthcare companies are answered below. Following that are a couple of snapshot tutorials on the adoption/deployment of HIPAA compliant systems. If you have another question that you don’t see answered among these, feel free to add it to the comments.
Six HIPAA Questions
1. What is HIPAA compliant hosting?
You probably know that a hosting company is a third-party information technology (IT) solution that connects clients to systems that meet their needs. The reason that hosting is so commonly considered a service (although many companies still own and operate data centers) is that the dedicated expertise of hosting and data center professionals, along with the volume of customers using resources in one group, creates a trusted and cost-effective IT environment.
HIPAA compliant hosting is the type of hosting that must be achieved by the vast majority of healthcare organizations operating in the US: all providers, plans, and clearinghouses must seek this solution. In a nutshell, it includes the following two core components:
- Business Associate Agreement (BAA) – a contract signed by both the hosting company and the healthcare organization; and
- Security Protocols & Equipment – dedicated physical or virtual servers are secured with industry standard protocols and technologies: fully managed switches; fully managed firewalls; virtual private networks (VPNs) that are encrypted with technologies including secure sockets layer (SSL) certificates; and Intrusion Detection Systems (IDS’s).
2. What is a HIPAA server?
HIPAA compliant servers, or HIPAA servers, are any type of “server-side” (backend) machines – such as email servers, Web servers, databases, and application servers – that are used within an environment abiding by HIPAA. HIPAA compliant servers can be of almost any brand or model, as long as sufficient security protections are in place (managed firewalls, encrypted VPNs, SSL certificates, etc.) to safeguard patient data. Another way of looking at it is that a HIPAA server is in some way involved in the processing, storage, or transfer of protected health information (PHI), one form of which is electronic medical records (EMR).
3. What is a HIPAA compliant database?
Databases are critical components of any system that contains large pools of information – whether about logins, customers, orders, scientific processes, etc.. The most popular open source database is MySQL. Forming the core applications of many hosting environments are LAMP stacks, bundles of software in which MySQL is joined with Apache Web server, the PHP language structure, and the Linux operating system. HIPAA databases contain, at least in part, protected health information (PHI).
4. What are the HIPAA server security standards?
Below is the basic compliance checklist for HIPAA server security. Not all of the below are listed specifically within the law. In some places (within the legislation), HIPAA makes reference to reasonable security standards, and what is considered reasonable is changeable and up to debate. However, for our understanding of the law, the following are necessary components:
- two-factor authentication (to add an additional layer to the login process)
- secure sockets layer (SSL) certificates (to encrypt data, avoiding theft of data between server and client devices)
- encrypted VPNs (again, to encrypt for theft-prevention)
- dedicate firewalls (to filter traffic so that information isn’t stolen or altered)
- Managed Intrusion Detection System, or IDS (to survey activity and rapidly determine if any traffic is malicious)
- Anti-Virus Protection (to protect the system against theft or corruption due to viruses and malware)
- total private environment (to disallow resource-sharing, which could make data vulnerable)
redundant backup facility (to avoid loss or corruption) - Business Associate Agreement, or BAA (to establish the nature of the relationship with a hosting company or datacenter)
- Bonus: SSAE 16 Type II Audited Data Center (to verify abidance by standards from the American Institute of CPAs that established security guidelines).
We will continue with the two additional questions referenced above, as well as the two snapshot tutorials, in the second part of this two-part series (linked here shortly). If you would like to get a broader understanding of HIPAA compliant hosting in general, check out our Master Index on the topic.
By Brett Haines
The post Commonly Asked Questions and How-To’s About HIPAA Compliance appeared first on Atlantic.Net.