Hipaa Compliant Hosting
What is HIPAA Hosting?
HIPAA hosting refers to website, application or data storage and hosting services that comply with the physical safeguard requirements of the HIPAA Security Rule. HIPAA hosting is an important part of the requirements needed for application developers to ensure HIPAA compliance of their solutions.
Does Using HIPAA Hosting Make My Application HIPAA Compliant?
The short answer is no. HIPAA hosting alone does not make you HIPAA compliant.
HIPAA compliance is determined by the adherence to the privacy and security rules outlined by HIPAA. HIPAA hosting only addresses one aspect of those requirements. Hosting your application in a HIPAA compliant hosting environment such as Amazon AWS or Firehost does not make your application HIPAA compliant as they only address the physical safeguard requirements of the HIPAA security rule.
You are still required to meet the Technical and Administrative specifications of the HIPAA Security Rule in order to be compliant. TrueVault manages both the Technical and Physical safeguard requirements for your app, saving you the additional development time and resources of building them yourself for HIPAA compliant web hosting.
What Data Should Be Stored in HIPAA Compliant Hosting Environments?
Not all of your mHealth, eHealth or wearable application data needs to exist in a HIPAA hosting environment. But any protected health information (PHI) requires HIPAA file storage. Protected health information is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a healthcare service.
- Medical records
- Billing information
- Health insurance information
- Any individually identifiable health information
PHI includes images such as x-rays, MRIs, test results, doctor's notes, patient communication and more. If your healthcare application is managing any of these data types, you want to ensure that it is kept within a HIPAA compliant web hosting environment.
Sometimes digital copies of protected health information is called ePHI and refers to all individually identifiable health information that is created, maintained, or transmitted electronically.
What Makes a Hosting Environment HIPAA Compliant?
HIPAA compliant hosting providers typically provide two main aspects of HIPAA compliance:
- They sign a Business Associate Agreement with you, which is required by service providers managing and handling HIPAA protected information.
- They address many of the Physical Safeguard requirements of the HIPAA Security Rule including the following:
- Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
- Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
- Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
- Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
- Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
- Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
- PHI Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
- Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
- Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
- Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.
Required vs. Addressable HIPAA Implementation Specifications
Many of the implementation specifications above are listed as addressable. HIPAA hosting required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; the choice must be documented. It is important to remember that an addressable implementation specification is not optional.
What is HIPAA Compliance?
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.
The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).
If you are hosting your data with a HIPAA compliant hosting provider, they must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services. The physical and technical safeguards are most relevant to services provided by your HIPAA compliant host as listed below, with detail on what constitutes a HIPAA compliant data center.
- Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).
- Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
- Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.
- Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.
- Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.
A supplemental act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was formed in response to health technology development and increased use, storage and transmittal of electronic health information.
Not sure how to get HIPAA hosting? Contact us, or Chat with someone now. Or read more about real HIPAA hosting case studies.
Resources: U.S. Department of Health and Human Services.