Central Data Storage has been granted the Nebraska Innovation Fund Prototype Grant
If you’re a fan of Nebraska small businesses and are looking for a modern way to shield your...
Download this FREE 5-step guide to create your own Disaster Recovery Plan.
Health and Human Services (HHS) require healthcare providers and their cloud storage providers to be compliant with HIPAA rules and regulations wherever protected health information (PHI) is involved.
We protect the integrity of your patient information by being a HIPAA Compliant Business Associate. We have been third-party audit tested by ITPAC, an independent consulting group that provides specialized compliance services for IT, Healthcare, and Financial institutions. We comply with all Privacy and Security Rules to ensure your backup of Electronic Protected Health Information (ePHI) meets every HIPAA requirement.
We know that HIPAA requirements can be confusing, and the cost of noncompliance can be high. That’s why we’ve provided an easy-to-use checklist for you to see if you’re secure.
Is your current solution (including medical conditions, treatment, and billing information) keeping your patient’s data private according to HIPAA Security and Privacy Rules?
Not Sure? Read “HIPAA Privacy and Security Requirements” ↓
It is important to understand how to secure your health information against unauthorized use or theft?
Did you know that HIPAA regulations include how you store and backup your patient information? Beyond providing consistency in care by ensuring that patient health information is always available, the most important thing to look for in a cloud storage or backup solution is encryption. Your solution is only HIPAA compliant if it protects your patient’s data from being seen if it falls into the wrong hands. Encryption safeguards patient health information both in transport and on mobile devices, so be sure to select a solution that provides at least 256-bit level protection.
Other safeguards that should be taken to comply with HIPAA Include:
Unique passwords and usernames
Access, information, and system controls
Correctly installed wireless capability provider
Proper firewalls and encryption functionality
HIPAA regulations were established to protect the integrity of Protected Health Information (PHI) or electronic PHI — this is any information that could be used to identify an individual. It’s important to remember that patient data is in danger of being seen by unintended parties if it is not properly encrypted when it is stored or transferred.
Personal Information such as birthdate, address, social security information, etc
Past and current medical conditions and treatments
According to the Health Insurance Portability and Accountability Act of 1996, requirements pertain to all institutions, organizations, and people who electronically transmit and store ePHI. These Covered Entities (CEs) in the act include:
If you use any outside entity to assist with your ePHI or Emergency Medical Records including a hosting company, you also have Business Associates (BAs) that must comply with privacy and security rules (see security and privacy rules section). This is because BAs help health providers perform activities that involve the use or disclosure of PHI. A person or business and any health provider must perform activities that involve the use or disclosure of Protected Health Information. (See What About Business Associates and BAAs)
The HHS has created the HIPAA Privacy Rule and Security Rule to further help healthcare providers define exactly what is required of them in terms of ePHI.
1. Firewall: The purpose of a firewall is to prevent unauthorized access to or from a private network. There are three basic types of firewalls: hardware firewalls, software firewalls, and web application firewalls.
Do you need a Firewall?
Everyone who is considered a Covered Entity that handles ePHI is required to have firewalls implemented on their site to protect their data. If your PC is connected to the Internet, you’re a potential target for cyber threats, such as hackers, that attack through security holes. A firewall works as a barrier, or a shield, between your PC and Cyberspace.∗
2. Encrypted Virtual Private Network (VPN): An encrypted VPN is a technology that essentially creates a tunnel between two devices (typically the server and the client) where data is indecipherable during transport. The data is encrypted entering the tunnel and decrypted as it exists.
Do you need an Encrypted VPN?
VPN is a tool used to make your internet connection. You have to trust that the network you're using won't alter your data. When your data reaches the VPN server, it exits onto the public internet. A VPN creates a virtual encrypted tunnel between you and a remote server operated by a VPN service. All external internet traffic is routed through this tunnel, so your data is secure from prying eyes. Best of all, your computer appears to have the IP address of the VPN server, masking your identity.∗
3. Offsite Backups: Offsite backups are a data security and disaster recovery technique that means data and software are being stored at a remote location from the company. Offsite backups are also called offsite data backups or offsite data protection. Offsite backups are simply a diversification method to prevent total loss of your valuable ePHI.∗
Do you need offsite Backup?
Hard drives can be lost, stolen, or destroyed so you never want to rely on an external drive as your sole backup. Unlike external hard drives, offsite backup in the cloud ensures that your data is still accessible in the event of a disaster. This requirement is a reasonable way to ensure all the Electronic Medical Records (EMRs) are safe and accessible. Redundant offsite backups are the first steps to prevent the total loss of your valuable ePHI.∗
4. Multi-Factor Authentication (MFA):
Multi-Factor Authentication is a security check that uses two different forms of authentication to confirm the identity of the user. On all parts of your site, from the administrative control panel associated with the server to your Content Management System (CMS), to the operating system running throughout the network, you need Multi-Factor Authentication (MFA). MFA requires a user to provide more than just a password to access the network.
Do you need MFA?
MFA is the single most effective control to insulate an organization against remote attacks. When implemented correctly, MFAs can prevent most threat attacks from easily gaining access to your data, even if credentials become compromised.
5. SSL Certificates: An Secure Sockets Layer (SSL) certificate is software that creates encryption of data during transmission and validates ownership of the certificate to varying degrees.
Do you need SSL Certificates?
You need SSL certificates established throughout your site, for any domains and subdomains on which sensitive information is accessed. In other words, any parts of your site that need login credentials should always have an SSL. Each server used for your site needs its own SSL certificate installed. SSL is the backbone of our secure Internet, and it protects your sensitive information as it travels across the world's computer networks. SSL is essential for protecting your website, even if it doesn't handle sensitive information like credit cards. It provides privacy, critical security, and data integrity for both your websites and your users' personal information.∗
If you use any outside entity to assist with your ePHI or EMR, including a hosting company, you already have at least one Business Associate (BA).
BAs are the companies that help health providers perform activities that involve the use or disclosure of PHI. By law, any BA, health provider, person, or business must comply with privacy and security rules (see security and privacy rules section) when disclosing PHI. They must have an agreement signed called a Business Associate Agreement (BAA).
As defined in the U.S. Health Insurance Portability and Accountability Act of 1996, A HIPAA Business Associate Agreement is a legal contract between a HIPAA Covered Entity (CE) and BA. The BAA should detail:
The respective role and responsibilities that a health provider and a hosting company have regarding protecting PHI.
The ways in which both parties will be held liable for any breaches, so if one member violates the terms of the agreement, the other has legal recourse.
Business Associate Agreements (BAAs) satisfy HIPAA regulations. They safeguard sensitive personal data and records of patients by making both health providers and their BAs responsible and liable for proper storage and transmission. If you use any outside entity to assist with your ePHI or EMR, including a hosting company, you must have a BAA signed with that organization.
Remember, simply having a BAA doesn’t mean your responsibilities related to HIPAA are complete! You and your BAA should have clearly defined what type of actions they take to protect data. Health providers and their BAAs cannot excuse liability by claiming they shouldn’t have to follow HIPAA regulations if proper actions are not taken to safeguard patients' data. If a BAA is not issued, it’s incomplete or is violated, then both associates may find themselves in a lot of trouble with HIPAA.
A good BAA protects both the health provider and the Business Associate in the event of a breach. It’s important that your BAA uses proper legal language. If only one party is responsible for a breach of PHI, then a BAA should clearly hold that party responsible. The first thing that a good BAA must include is an acknowledgment that the entity issuing it is obligated to HIPAA regulation. Your BAA must also include an acknowledgment that the entity signing is obligated to HIPAA regulations.
What should you consider when selecting a BA?
Does your BA:
“Your practice, not your Electronic Health Record vendor, is responsible for taking the steps needed to comply with HIPAA privacy & security standards.” - THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY
HIPAA violations come with hefty fines. Noncompliance can come with a penalty of up to $1.5 million. These monetary penalties motivate facilities to operate in full compliance with HIPAA and hold accountable those who don't. Penalties are based on the severity of the violation and the facility’s knowledge of the noncompliance. While that might lead you to think that it’s better to claim non-knowledge of a breach if it occurs, you are responsible for reporting breaches as promptly as possible according to HIPAA.
The Four Tiers of HIPAA Violations:
To comply with HIPAA criteria it’s important to know what PHI must be protected. Laws require health providers and BAAs to protect both past and present patient data to qualify for reimbursements under the Affordable Care Act (ACA). Medical facilities and practitioners must also:
We understand HIPAA/HITECH requirements, so you can spend time managing your medical practice and not your data. Central Data Storage has supported medical and dental customers that are subject to the Health Insurance Portability and Accountability Act of 1996 for over 10 years.
We know that HIPAA is confusing. We ensure your backup of ePHI meets requirements by being secure, encrypted and private. That’s why we’re third-party audit tested for compliance. Now you can spend less time researching solutions and more time with your patients. We serve as a trusted BA in backup and recovery, encrypted file sharing, messaging, and more.
We undergo rigorous compliance testing for extra assurance:
Hospitals, dental offices, and medical practitioners cannot risk patient information being shared. We are a HIPAA compliant Business Associate. Central Data Storage satisfies the data backup controls of a HIPAA audit. We have private data centers and run proprietary software to protect our clients.
Our products are specifically designed for HIPAA compliance:
Compliance doesn't have to be an afterthought when purchasing a cloud storage product. We designed our products with compliance at the center.
Our products are specifically designed for health and dental providers:
We know our customers want cutting edge cloud products and are not willing to sacrifice ease of use for rigorous compliance. With CDS, you have the ability to securely store and share your medical records that contain large files. These files can include not only basic patient information, lab results and visit summaries, but also files such as x-rays, MRIs, and CT scans.
We have the reputation and the resources:
We have been a trusted provider for over 10 years with an excellent track record. We also offer superior resources and support by offering Managed Services.
We offer affordability and customization for patient management systems:
Data size and proper data mapping in data recovery can be challenging for a small private practice. Many medical and dental practices use their own servers to store data created by patient management systems. It can be more cost-effective to use a data storage company that specializes in security like Central Data Storage.
When it comes to selecting a backup product, HIPAA compliance can be complicated. There are a lot of components involved in creating the right solution including coordinating your server hosting, security settings, and managed providers and the appropriate BAAs.
Central Data Storage and our products are 100% HIPAA compliant. We secure your patients' health information against unauthorized use, theft or disclosure of the information.
When selecting an Electronic Health Record (EHR) file sharing solution, navigating HIPAA compliance can be tough. You must ensure security and hosting requirements are met and proper BAAs are in place.
Download this FREE 5-step guide to create your own Disaster Recovery Plan.
Enter your email below and receive this free offer.