Everyone wants to know that all of his or her information is safe and secure. And some of the most private information that many people want to keep to themselves is their health information. HIPAA or the Health Insurance Portability and Accountability Act strives to keep all of your private health information protected.
The Health Insurance Portability and Accountability Act or HIPAA was passed in 1996 by the Clinton administration. HIPAA takes care of a couple different things. It makes sure that American workers are able to transfer and continue their health insurance after they change or lose their job. HIPAA helps reduce health care fraud and abuse. HIPAA dictates a standard for healthcare billing. And lastly, it requires the protection and confidentiality handling of health information.
Data centers handle the information for many different industries including hospitals. Because of this, there is a significant difference between a HIPAA compliant hosting and non-HIPAA compliant hosting. We will highlight the HIPAA compliant server requirements, and also highlight what it takes to be a HIPAA compliant hosting company generally speaking as well.
When it comes to HIPAA requirements for data storage—Patient’s protected health information should be encrypted and secure to prevent unauthorized access. This includes all types of web-based access. There should also be an Advanced Encryption Standard (AES) for a patient’s health information. There should also be a secure firewall to prevent unauthorized access. There also needs to be remote VPN Access. Those with proper credentials can access the protected network remotely. There also needs to be a disaster recovery plan in place in case of lost patient records or if the server malfunctions. Another requirement is that these hospital and patient records need to be on a dedicated IP address that is cut off from the public Internet. The storage should also be redundant, isolated, and secure, with a high-speed connection.
There are many requirements a data center needs to abide by to have their data storage be compliant with HIPAA regulations, but there are even more requirements for the data center itself as a whole to be considered compliant with HIPAA as well.
For a data center to be considered a healthcare host and compliant with HIPAA, it needs to offer full data security and management. The host needs to have unique IDs and passwords as well as procedures for logging in and out, as well as decryption and emergencies. The host should also have a distinction between web, database, and production servers. There should also be private IP addresses and private hosting availability.
When it comes to other security requirements, there should be an antivirus and multifactor authentication to ensure privacy. The management of Patching or repairing the vulnerabilities in the system is also important and required to be HIPAA compliant. Phishing is an imminent threat when it comes to data security. SSL certificate encryption of all patient information is helpful and necessary when it comes to being compliant with the HIPAA. There should also be encrypted VPNs and private walls for extra measure, and a disaster recovery and backup plan in case there is a breach.
The data itself, including patient information, is the highest priority. The host needs to have guidelines for the way data is stored, transferred, and discarded. There should also be quality control on how data is discarded, changed, and backed-up as well. There also needs to be rules in place for all data transmission including emails. The information should also be easily accessible and available whenever needed. But there also needs to be policies to control access to the building and all electronic systems with the patient’s health information.
Lastly, to ensure the host is conducting business properly, there should be an agreement with the business associate. For added measure, HIPAA also requires the system be audited by SSAE 18 and SOC to make the data center is managing the business appropriately.
There are many benefits to having a HIPAA compliant data center. The main benefits are highlighted when looking at what it takes to be HIPAA compliant. These regulations are in place to protect the confidentiality, honesty, and accessibility of the patient’s health information.
Looking through all of the requirements—one should feel confident that their information is safe with a HIPAA compliant host. But let’s take a look at the benefits in more detail.
If data centers do not abide by these regulations, there are hefty fines for these violations ranging anywhere between $10,000-$50,000. The most a single company can be fined per year is $1.5 million. There is also the risk of jail time as the result of sensitive data being exposed.
Using a host under all of these regulations should make any health care provider and patient feel at ease about their data security.
If you want to know if your current host or potential host is HIPAA compliant or if you are a data center looking to become HIPAA compliant—there are a couple things to look out for. Here is a quick recap and checklist of the requirements.
There needs to be a firewall implemented on the site. By controlling the traffic coming in and out, the network is more secure. The VPN or Virtual Private Network needs to be encrypted. This is another way that traffic is controlled, which creates another layer of security.
The data center should also have the data backed up in an offsite location in case of emergency. It should also use multifactor authentication. It should also be a private platform that does not share resources with any other entity. It should also have SSL (Secure Sockets Layer) certificates, and SSAE and SOC certifications as well. And lastly, there must be a BAA. Business Associate Agreement.
There are many different things that are required of a host to be HIPAA compliant. But this is all to protect the privacy of the patients. We should all feel more safe and secure knowing these kinds of rules and regulations are in place for hosts and data centers. There are HIPAA compliant hosts near you-you just need to do some research.