The Health Insurance Portability and Accountability Act (HIPAA) of 1996 covers all US healthcare entities that handle electronic Patient Health Information (ePHI). The rules of compliance are strict and demand observance of several technical, administrative, physical and privacy safeguards, all that are enforced by the US Department of Health & Human Services (HHS).
HIPAA compliant cloud computing creates a unique set of challenges for US healthcare organizations, with many medical professionals choosing to outsource this responsibility to a cloud hosting partner. Strict adherence to the HIPAA security and privacy rules are mandatory, and a signed Business Associate Agreement (BAA) must be agreed between all entities.
These focus on implementing cloud infrastructure controls to protect ePHI. Mandatory requirements include access controls for approved users of the platform, using unique usernames and enforcing a strong password policy are expected, using Multi-Factor Authentication (MFA) and access control lists are highly recommended.
All ePHI should be encrypted in transit (network) and at rest (storage), using a minimum of the AES256 encryption standard. There are many audit controls required for any hardware, software or infrastructure processing ePHI. Enabling features such as enhanced logging, auditing of user access, auditing of permissions and system usage is required.
All cloud infrastructure must be compliant with appropriate levels of firmware and software security updates (patching). This approach limits the exposure of cloud computing services to operating system vulnerabilities and data breaches.
All BAA entities have a responsibility to protect the integrity of the ePHI data. Technical controls on the data ensure that it is not accessed, altered or destroyed in an unapproved manner. Security Information Event Management (SIEM) platforms are configured to audit and alert on any changes made to ePHI, the alerts are monitored and escalated as required.
Physical safeguards are put in place for all BAA entities, specifically relating to physical facilities (buildings), workstation usage and electronic device etiquette. Building controls are implemented to audit employee access to buildings, server rooms and facilities hosting ePHI. The main objective is to prevent tampering or theft of ePHI data. Any access can be traced and reported on 24/7.
It also includes creating and testing a disaster recovery (DR) strategy, the primary goal is to be capable of restoring access to ePHI in the event of a major incident. Common scenarios include access to an alternative DR control center and DR technical solution hosted at other premises.
Device etiquette is a challenging, but mandatory requirement of HIPAA, it includes any digital device, workstation/server, and digital media. All computer terminals are protected as standard with measures that include automated lock screens, and software to prevent copying data from a USB.
Additional controls are put in place on how the cloud computing infrastructure is backed up, including data retention policies, replication requirements, and hardware redundancy. There are extra rules that govern how data and media are destroyed, usually by certificated destruction.
These are the policies and procedures that govern the conduct of the BAA entity workforce. Requirements include measures to conduct a risk assessment, risk management and enforcing reporting and contingency planning.
Dedicated HIPAA officers are assigned by each BAA entity, these employees oversee the entire compliance landscape. Ensuring every agreed process is documented and continually reviewed. Other tasks such as reporting, password management, login monitoring and assigning training schedules are completed.
The BAA entities must know what ePHI is retained, and where the ePHI resides on the infrastructure. Users must have appropriate access to ePHI to complete their work, but access requires controlling and monitoring. Access rights should always be granted using the principle of least privilege.
Privacy and Enforcement
If any employee in a company violates the HIPAA stipulations, even unintentionally, the company can be fined up to $1.5 million (the yearly cap per business). Some of the most common offenses include ePHI with missing information, entities neglecting to sign the BAA, using laptops to store ePHI, throwing away confidential health documents. Our HIPAA violations guide goes into significant details about violations and enforcement practices.
Choosing a HIPAA Compliance Partner
The consequences of violating HIPAA can be extreme. Even if you are not fined millions, it is not a great way to spend money; and it’s not fun to end up on the HIPAA Wall of Shame.
For these reasons, it is extraordinarily important to choose a technological partner that specializes in healthcare hosting and is SOC 2 TYPE II and SOC 3 TYPE II certified and HIPAA and HITECH audited, like Atlantic.Net. Their SSD Cloud Servers offer a 100% uptime guarantee and can launch in under 30 seconds, just two of the many reasons they have earned our recommendation for #1 pick for HIPAA compliant hosting.