Health and Human Services (HHS) requires healthcare providers and their cloud storage providers to be compliant with HIPAA rules and regulations wherever protected heath information (PHI) is involved.
We protect the integrity of your patient information by being a HIPAA Compliant Business Associate. We have been third-party audit tested by ITPAC, an independent consulting group that provides specialized compliance services for IT, Healthcare, and Financial institutions. We comply with all Privacy and Security Rules to ensure your backup of Electronic Protected Health Information (ePHI) meets every HIPAA requirement.
HIPAA Compliance Checklist
We know that HIPAA requirements can be confusing, and the cost of noncompliance can be high. That’s why we’ve provided an easy-to-use checklist for you to see if you’re secure.
Do you know the basics of HIPAA compliance and cloud storage?
It is important to understand how to secure your health information against unauthorized use or theft?
Did you know that HIPAA regulations include how you store and backup your patient information? Beyond providing consistency in care by ensuring that patient health information is always available, the most important thing to look for in a cloud storage or backup solution is encryption. Your solution is only HIPAA compliant if it protects your patient’s data from being seen if it falls into the wrong hands. Encryption safeguards patient health information both in transport and on mobile devices, so be sure to select a solution that provides at least 256 bit level protection.
Other safeguards that should be taken to comply with HIPAA Include:
Unique passwords and usernames
Access, information, and system controls
Correctly installed wireless capability provider
Proper firewalls and encryption functionality
Learn more below. We’ve provided a detailed breakdown of all the information you should consider when selecting a solution. (See HIPAA Criteria & Technology Requirements)
HIPAA Basics For Health Professionals
HIPAA regulations were established to protect the integrity of Protected Health Information (PHI) or electronic PHI — this is any information that could be used to identify an individual. It’s important to remember that patient data is in danger of being seen by unintended parties if it is not properly encrypted when it is stored or transferred .
The Department of Health and Human Services (HHS) determines “protected health information” (PHI) as:
Personal Information such as birthdate, address, social security information, etc
Past and current medical conditions and treatments
Billing and insurance information
Does HIPAA Apply to Me?
According to the Health Insurance Portability and Accountability Act of 1996, requirements pertain to all institutions, organizations, and people who electronically transmit and store ePHI. These Covered Entities (CEs) in the act include:
Healthcare providers including: doctors, clinics, hospitals, nursing homes, and pharmacies that electronically transmits any PHI in connection with a transaction for which HHS has adopted a standard
If you use any outside entity to assist with your ePHI or Emergency Medical Records including a hosting company, you also have Business Associates (BAs) that must must comply with privacy and security rules (see security and privacy rules section). This is because BAs help health providers perform activities that involve the use or disclosure of PHI. A BA, person or business and any health provider must perform activities that involve the use or disclosure of Protected Health Information. (See What About Business Associates and BAAs)
1. Firewall: The purpose of a firewall is to prevent unauthorized access to or from a private network. There are three basic types of firewalls: hardware firewalls, software firewalls and web application firewalls.
Do you need a Firewall? Everyone who is considered a Covered Entity that handles ePHI is required to have firewalls implemented on their site to protect their data. If your PC is connected to the Internet, you’re a potential target for cyber threats, such as hackers, that attack through security holes. A Firewall works as a barrier, or a shield, between your PC and Cyberspace.∗
2. Encrypted Virtual Private Network (VPN): An encrypted VPN is technology that essentially creates a tunnel between two devices (typically the server and the client) where data is indecipherable during transport. The data is encrypted entering the tunnel and decrypted as it exits.
Do you need Encrypted VPN?
VPN is a tool used to make your internet connection. You have to trust that the network you're using won't alter your data. When your data reaches the VPN server, it exits onto the public internet. A VPN creates a virtual encrypted tunnel between you and a remote server operated by a VPN service. All external internet traffic is routed through this tunnel, so your data is secure from prying eyes. Best of all, your computer appears to have the IP address of the VPN server, masking your identity.∗
3. Offsite Backups: Offsite backups are a data security and disaster recovery technique that means data and software are being stored at a remote location from the company. Offsite backups are also called offsite data backups or offsite data protection. Offsite backups are simply a diversification method to prevent total loss of your valuable ePHI.∗
Do you need offsite Backup?
Hard drives can be lost, stolen, or destroyed so you never want to rely on an external drive as your sole backup. Unlike external hard drives, offsite backup in the cloud ensures that your data still accessible in the event of a disaster. This requirement is a reasonable way to ensure all the Electronic Medical Records (EMRs) are safe and accessible. Redundant offsite backups are the first steps to prevent total loss of your valuable ePHI.∗
4. Multi-Factor Authentication (MFA):
Multi-Factor Authentication is a security check that uses two different forms of authentication to confirm the identity of the user. On all parts of your site, from the administrative control panel associated with the server, to your Content Management System (CMS), to the operating system running throughout the network, you need Multi-Factor Authentication (MFA). MFA requires a user to provide more than just a password to access the network.
5. SSL Certificates: An Secure Sockets Layer (SSL) certificate is software that creates encryption of data during transmission and validates ownership of the certificate to varying degrees.
Do you need SSL Certificates?
You need SSL certificates established throughout your site, for any domains and subdomains on which sensitive information is accessed. In other words, any parts of your site that need login credentials should always have an SSL. Each server used for your site needs its own SSL certificate installed. SSL is the backbone of our secure Internet, and it protects your sensitive information as it travels across the world's computer networks. SSL is essential for protecting your website, even if it doesn't handle sensitive information like credit cards. It provides privacy, critical security, and data integrity for both your websites and your users' personal information.∗
What About Business Associates and Business Associate Agreements?
What Is a Business Associate?
If you use any outside entity to assist with your ePHI or EMR, including a hosting company, you already have at least one Business Associate (BA).
BAs are the companies that help health providers perform activities that involve the use or disclosure of PHI. By law any BA, health provider, person, or business must comply with privacy and security rules (see security and privacy rules section) when disclosing PHI. They must have an agreement signed called a Business Associate Agreement (BAA).
What Is a Business Associate Agreement (BAA)?
As defined in the U.S. Health Insurance Portability and Accountability Act of 1996, A HIPAA Business Associate Agreement is a legal contract between a HIPAA Covered Entity (CE) and BA. The BAA should detail:
The respective role and responsibilities that a health provider and a hosting company have regarding protecting PHI.
The ways in which both parties will be held liable for any breaches, so if one member violates the terms of agreement, the other has legal recourse.
Do I Need BAAs?
Business Associate Agreements (BAAs) satisfy HIPAA regulations. They safeguard sensitive personal data and records of patients by making both health providers and their BAs responsible and liable for proper storage and transmission. If you use any outside entity to assist with your ePHI or EMR, including a hosting company, you must have a BAA signed with that organization.
Remember, simply having a BAA doesn’t mean your responsibilities related to HIPAA are complete! You and your BAA should have clearly defined what type of actions they take to protect data. Health providers and their BAAs cannot excuse liability by claiming they shouldn’t have to follow HIPAA regulations if proper actions are not taken to safeguard patients data. If a BAA is not issued, it’s incomplete, or is violated, then both associates may find themselves in a lot of trouble with HIPAA.
What Does a Good BAA Look Like?
A good BAA protects both the health provider and the Business Associate in the event of a breach. It’s important that your BAA uses proper legal language. If only one party is responsible for a breach of PHI, then a BAA should clearly hold that party responsible. The first thing that a good BAA must include is an acknowledgement that the entity issuing it is obligated to HIPAA regulation. Your BAA must also include an acknowledgement that the entity signing is obligated to HIPAA regulations.
Selecting a Compliant Business Associates
What should you consider when selecting a BA?
Does your BA:
Have documentation to show they are a HIPAA Compliant Business Associate?
Use software that has been 3rd-party audited for compliance? (See security and technical requirements)
Have a track record of serving their clients without breaches to PHI?
“Your practice, not your Electronic Health Record vendor, is responsible for taking the steps needed to comply with HIPAA privacy & security standards.” - THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY
HIPAA violations come with hefty fines. Noncompliance can come with a penalty up to $1.5 million. These monetary penalties motivate facilities to operate in full compliance with HIPAA, and hold accountable those who don't. Penalties are based on the severity of the violation and the facility’s knowledge of the noncompliance. While that might lead you to think that it’s better to claim non-knowledge of breach if it occurs, you are responsible for reporting breaches as promptly as possible according to HIPAA.
The Four Tiers of HIPAA Violations:
Unaware violators: Facilities can receive penalties ranging from $110 to $55,010 per violation if they couldn't have reasonably been aware of a breach.
Reasonable cause: The penalty ranges from $1,100 to $55,010 per violation if the violation is not deemed willful neglect.
Willful neglect is corrected: If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,002 to $55,010 per violation.
Willful neglect not corrected: If a violation is due to willful neglect but is not corrected in a timely manner, the maximum penalty of $55,010 per violation applies.
To comply with HIPAA criteria it’s important to know what PHI must be protected. Laws require health providers and BAAs to protect both past and present patient data to qualify for reimbursements under the Affordable Care Act (ACA). Medical facilities and practitioners must also:
Comply with EHR rules
Allow patients to obtain access to their EHR in most circumstances
How CDS Meets HIPAA Standards
We understand HIPAA/HITECH requirements, so you can spend time managing your medical practice and not your data. Central Data Storage has supported medical and dental customers that are subject to the Health Insurance Portability and Accountability Act of 1996 for over 10 years.
We know that HIPAA is confusing. We ensure your backup of ePHI meets requirements by being secure, encrypted and private. That’s why we’re third-party audit tested for compliance. Now you can spend less time researching solutions and more time with your patients. We serve as a trusted BA in backup and recovery, encrypted file sharing, messaging, and more.
CDS is your trusted Business Associate, protecting your Covered Entity.
Benefits of using CDS as a BAA:
We undergo rigorous compliance testing for extra assurance: Hospitals, dental offices and medical practitioners cannot risk patient information being shared. We are a HIPAA compliant Business Associate. Central Data Storage satisfies the data backup controls of a HIPAA audit. We have private data centers and run a proprietary software to protect our clients.
Our products are specifically designed for HIPAA compliance: Compliance doesn't have to be an afterthought when purchasing a cloud storage product. We designed our products with compliance at the center.
Our products are specifically designed for health and dental providers: We know our customers want cutting edge cloud products and are not willing to sacrifice ease of use for rigorous compliance. With CDS, you have the ability to securely store and share your medical records that contain large files. These files can include not only basic patient information, lab results and visit summaries, but also files such as x-rays, MRIs, and CT scans.
We have the reputation and the resources: We have been a trusted provider for over 10 years with an excellent track record. We also offer superior resources and support by offering Managed Services.
We offer affordability and customization for patient management systems: Data size and proper data mapping in data recovery can be challenging for a small private practice. Many medical and dental practices use their own servers to store data created by patient management systems. It can be more cost-effective to use a data storage company who specializes in security like Central Data Storage.
CDS as your backup & recovery provider.
When it comes to selecting a backup product, HIPAA compliance can be complicated. There are a lot of components involved in creating the right solution including: coordinating your server hosting, security settings, and managed providers and the appropriate BAAs.
Central Data Storage and our products are 100% HIPAA compliant. We secure your patients health information against unauthorized use, theft or disclosure of the information.
COMING SOON! CDS as your encrypted sharing provider.
When selecting an Electronic Health Record (EHR) file sharing solution, navigating HIPAA compliance can be tough. You must ensure security and hosting requirements are met and proper BAAs are in place.
Central Data Storage offers HIPAA compliant software solutions for small businesses. With in-house support, easy-to-use products, and top-level encryption, we give businesses peace-of-mind knowing their data is safe and accessible.