What is a HIPAA Compliant Data Center?
I hear this question a lot. What is a HIPAA Complaint Data Center? Good question because I don’t see a lot of information explaining exactly what it is. At Tier3MD, we have our own private HIPAA compliant datacenter, and we are happy to assist you in securing your data.
What exactly is a HIPAA compliant data center, and why do I need it? Very simple. The entire essence of HITECH, HIPAA and meaningful use is to protect the confidentiality, integrity and availability of electronic protected health information. (ePHI). Since data centers typically store, transmit, or process ePHI, they must comply with the HITECH standards and citations to meet HIPAA compliance. The same risk analysis, administrative safeguards, physical safeguards, technical safeguards, and ongoing due diligence apply just as much in the data center as in a provider’s facility. As a business associate (see Omnibus Rule), having a HIPAA compliant Data Center meant adhering to all the same policies, procedures, rule and regulations that we advise our clients to have in place. The safest and most diligent practice to protect ePHI is to ensure that the same policies, risk management, safeguards, and ongoing compliance governance standards are followed no matter where ePHI resides. With that said, the simple answer to “What is a HIPAA Compliant Data Center” is adhering to the administrative, physical, and technical safeguards and standards set forth by the HITECH act to be HIPAA compliant.
Other requirements needed for a HIPAA compliant data center are Organizational requirements. The Organizational Requirements found in the HIPAA Security Rule concern contracts and agreements with business associates (BAs) and the policies, procedures and documentation guidelines for group health plans. The Business Associate Agreement, or BAA, ensures business associates will implement the HIPAA safeguards to protect ePHI they receive or maintain on behalf of the covered entity. It also ensures that any subcontractors they work with will also follow the safeguards. The agreement requires BAs to report all security incidents and allow contract termination if any violations occur. Not only does an effective business associate agreement need to be in place between covered entities and their business associates; the contractors and vendors of the business associate must also share and sign business associate agreements if there is any potential of access to PHI data. The business associate agreement (BAA) is the ideal place to clarify the roles and responsibilities between the covered entity and the business associate.
A HIPAA compliant data center will have the proper elements and requirements for HIPAA compliant hosting. These requirements are:
The Security Awareness and Training Standard of the HIPAA Security Rule (Section 164.308(a)(5))9 specifically calls out the need for “Protection from Malicious Software.” We all use antivirus on our laptops, so using this on a server operates under the same premise: safety and security for critical infrastructure. This is one of the most important elements of security you can buy for the money for a managed server.
OS Patch Management
Routine OS patch management is required in today’s IT climate. And yes, there are many older servers, older applications, and just plain old implementations out there that IT administrators are scared to touch. These are, for example, the MS-SQL 2000 implementations that are connected to disparate systems, ERP systems, and other legacy applications that IT managers feel might break if patched. These are often unpatched due to lack of funding for application redesign, and sheer terror on the part of some IT managers to implement change for the security and good of the company.
Backup and Disaster Recovery
The HIPAA Contingency Plan standard described in section 164.308(a)(7)10 requires a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis. Part of proving due diligence is holding CEs and BAs responsible for ensuring PHI is not destroyed or lost in the event of a disaster. Offsite data backups are imperative and offsite disaster recovery is strongly recommended.
Protecting Healthcare Data
1. Disaster Prevention – Putting all the tools in place to minimize the probability of an outage in the data center infrastructure, server hardware, software and network connectivity.
2. Disaster Recovery – Assuring that the applications and data can be recovered and restored in a reasonable timeframe to continue running the business and making patient data available if a disaster occurs in the primary data center.
Firewalls can help meet both administrative safeguard requirements to protect PHI from malicious software (164.308(a) (5)) and the technical safeguard requirements to tightly control access to PHI (164.312(a) (1)). The data center should be protected by redundant, or high availability, firewalls so that if one fails due to a hardware, software, or power issue, a second firewall can still stand between PHI and a malicious attack. Intrusion detection and intrusion prevention capabilities should also supplement firewall protection, and are often a feature of many modern firewall and universal threat management appliances.
HIPAA Trained Staff and Documented Policies
The most secure technologies are rendered useless without a culture of processes that ensures that secure policies and procedures are documented and consistently followed.