HIPAA compliance is important to a lot of people, and if you work in the Health technology industry, it should be for you, too! Read on to learn about what it takes to be compliant.
Hosting. For basically everyone, it’s one of the most common services provided on the internet. Every business has (or should have) a website, and that website needs to be hosted somewhere. Whether with the best hosting company out there (Fibernet, of course) or anyone else, hosting is a necessary service. And not just web hosting, but cloud, dedicated, and colocation is all included.
Hosting means somewhere, on some server, your data is being stored and served. It could be in the Silicon Valley, or Las Vegas, or Utah. It could be in New York, Chicago, Miami, or Atlanta. It could be hosted in Europe, or Asia, or even Australia. Wherever you are hosted, you should be concerned with the security of that data center.
If you are required by law to be compliant with a certain set of standards or regulations, then you need to be hosted at a data center with the same qualifications. Here’s a breakdown of some of the more common regulations, HIPAA compliance. Before we continue, I have to say that it is not HIPPA, and definitely not HIPPO (though I kinda wish it was about hippos, that would be way cooler).
HIPAA stands for the Health Insurance Portability and Accountability Act, which was a law passed in 1996. Crazy to think that 20 years ago, the government was concerned about cyber security. Well, the internet was young, and so the law was amended in 2013 to include the Health Information Technology for Economic and Clinical Health (HITECH) Act. Basically, it protects health patient records. Here’s what it protects, according to TechTarget:
- A patient’s name, address, birthdate and Social Security number
- An individual’s physical or mental health condition
- Any care provided to an individual
- Information concerning the payment for the care provided to the individual that identifies the patient, or information for which there is a reasonable basis to believe could be used to identify the patient.
Here’s what you need to do that (according to the Dept. of Health and Human Services):
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance with their workforce.
Overall, the idea is that all information is private, and only accessed (and accessible) by authorized personnel. Here are the specs you should be looking for at a data center:
- Facility Access Control: They need to limit physical access except to authorized persons.
- Workstation and Device Security: Employees and their workstations, and common use workstations must be monitored and comply with policies regarding use.
- Workforce Training: All employees there need to be trained on HIPAA compliance standards
- Audit and Compliance Proof: Data centers need to show they are compliant by submitting to an audit of some type.
If their data center is compliant, they should be able to prove it and show you with their conduct and performance. If you want to know more about compliance, check this out, and follow this blog for more updates about compliance with SSAE 16, SOx, PCI, and more!