For businesses involved in storing protected health information, ensuring you comply with HIPAA is critical. In this article, we walk you through the basics of HIPAA compliant server so you can start to understand your obligations under the legislation.
Note: Nothing in this article should be considered legal advice. This article is for informational purposes only. Every business has unique HIPAA compliance requirements. We recommend contacting an attorney in your local jurisdiction for advice to your specific business needs.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. Passed in 1996, this law passed to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. The United States government acknowledged that advances in technology could erode the privacy of health information and this legislation was an attempt to ensure the required standards were met to keep health information safe.
As technology has evolved since 1996 and the storing of protected health information has become more commonplace, there have been amendments to the Act over the years such as the implementation of the HITECH Act which have strengthened the technical safeguards that businesses were required to meet.
Who is required to follow HIPAA?
Only certain businesses are required to be compliant with HIPAA. Only covered entities and business associates are required to be HIPAA compliant.
HIPAA covered entities include health plans, clearinghouses, and certain health care providers.
Health plans include:
- Health insurance companies
- HMOs, or health maintenance organizations
- Employer-sponsored health plans
- Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs
Clearinghouses include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.
Providers who submit HIPAA transactions, like claims, electronically are covered. These providers include, but are not limited to:
- Nursing homes
The Centers For Medicare and Medicaid have a helpful tool which can be used to help determine if you are a covered entity.
If a covered entity engages with a business associate, then there must be a business associate agreement in place. The business associate agreement identifies what exactly the business associate is doing for the covered entity and that the business associate will be compliant with HIPAA.
What is a HIPAA compliant server?
A HIPAA compliant server is a server which adheres to the strict technical requirements outlined in legislation in order to store medical records safely. This involves things like complete data encryption, user authentication, and other aspects which we will describe in detail below.
A HIPAA compliant hosting server must be on a private hosted environment. This means that public cloud or hybrid servers may not be used. A Dedicated Server or private cloud are the best options.
What is protected health information PHI?
In order to achieve HIPAA compliant hosting, it’s important to understand what data must be maintained to these high standards. Protected health information can be defined as individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.
- treatment information
- medical test results, and
- prescription information
When this information can be tied to an individual, it is protected under HIPAA.
How is HIPAA compliance achieved?
HIPAA contains a series of requirements for both privacy and security. The security rule of HIPAA contains implementation specifications which outline exactly how compliance may be achieved. A covered entity may either follow the standard, or they must document why the standard was not followed.
A covered entity should review the security specifications completely and follow the 5 main components of the process to achieve HIPAA compliant hosting on their server.
The 5 main components of HIPAA Planning:
- Assess current security, risks, and gaps.
- Develop an implementation plan
- Implement solutions
- Document decisions
- Reassess periodically
What are 3 key elements of HIPAA?
The three key elements of HIPAA compliant hosting security – administrative safeguards, physical safeguards, and technical safeguards. Each of these processes begins with a risk analysis.
HIPAA Risk Analysis
When reviewing all the HIPAA security requirements and recommendations, it is critical to perform a risk analysis. This process allows your organization to determine what risks exist and how best to address them. It can be described as:
- The process of identifying potential security risks, and
- Determining the probability of occurrence and magnitude of risks.
Another requirement of the security policies in HIPAA compliance is a sanction policy within the organization. An organization must ““Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.” This would apply to business associates as well.
1. Administrative Safeguards
The first element of HIPAA compliance on the security rule is administrative safeguards. The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information PHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
Reviewing Activity Logs
An organization must Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Designate A Security Official
A security official in the organization must be designated who is responsible for the development and implementation of the policies and procedures required for the entity. This is similar to the requirements to designate a privacy officer, and this could be the same person in small organizations.
The organization must identify which members require access to the health information PHI and restrict access to only the information required. Members of the organization who don’t need access to this data must be restricted from accessing it, and once an employee is terminated there must be procedures to revoke access promptly.
As well, there must be authorization and supervision of workforce members who access health data. For example, it should be logged when a workforce member attempts to access health data outside their permitted scope.
Security Awareness and Training
A security awareness and training program must be designed and implemented with all organization staff, including management. This requirement also outlines that an organization must conduct:
- Security Reminders
- Protection from Malicious Software
- Log-in Monitoring
- Password Management
Other Administrative Safeguards
Other administrative safeguards required to maintain a HIPAA compliant server include:
- Security Incident Procedures
- Contingency Planning
- Backup Planning
- Disaster Recovery Planning
- Emergency Mode Operation Planning
- Testing and Revision Procedures
- Applications and Data Criticality Analysis
2. Physical Safeguards
Facility Access Controls
These standards are designed to Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. It involves:
- Contingency Operations
- Facility Security Plan
- Access Control and Validation Procedures
- Maintenance Records
Workstation Use and Security
This standard refers to how workstations or servers are physically protected from access and intrusion. An organization should review the risks and assess whether any physical locking or other security are required to protect workstations.
As well, policies must be developed and enforced which outline proper workstation use and what activities are appropriate on a business workstation.
Device and Media Controls
Policies must be developed surrounding
- Media use and re-use
- Data backup and storage
- Records of responsibility and accountability
- Media disposal
3. Technical Safeguards
The third element of HIPAA compliance on the security side is a technical safeguard. The HIPAA legislation was designed to be technology agnostic in that no specific technical solutions are recommended. As technology evolves, the legislation acknowledges that there may be multiple solutions to any of these recommendations.
- Unique User Identification
- Emergency Access Procedure
- Automatic Logoff
- Encryption and Decryption
Audit controls involve using hardware, software, and/or procedural mechanisms that record and examine activity in information systems. These systems should be monitored and reviewed based on the risks particular to the organization. In particular, it should be noted what audits are in place if a security violation occurred. Does the organization have the appropriate audit record in place to track down the source?
Data integrity procedures include steps taken to protect protected health information from improper alteration or destruction. This could be something similar to checksum calculations or digital signatures on files.
Person or Entity Authentication
Mechanisms must be in place to verify that a person or entity seeking access to electronic protected health information is the one claimed. This could be a password, PIN, or two-step verification.
Finally, an organization must ensure that health data being transmitted is sent in a secure fashion. This involves a variety of mechanisms including encrypting data, data integrity checks, and determining what other mechanisms may protect data in transit.
As previously mentioned, HIPAA compliant hosting is unique to the size of your organization and your particular risks. There is no out of the box hosting solution which can achieve full compliance for you without significant investment on your part to maintain compliance. Some examples of hosting safeguards include:
- SSL certificates on all domains and subdomains
- An encrypted VPN inside your office and between all servers
- A robust firewall on all servers
- Offsite backups which are also HIPAA compliant
- A private hosting environment
- Data center SOC 2 TYPE II and SOC 3 TYPE II Certifications
Useful HIPAA Resources
The HHS.gov website contains extensive documentation on understanding HIPAA compliant server standards. More information on the topic may be found here.
Deploy A HIPAA Server
As you can see, deploying a HIPAA compliant server involves a significant amount of time and expense for covered entities and business associates. While VPS House Technology Group does not offer HIPAA compliant hosting out of the box, it is possible to achieve HIPAA compliance using a VPS House Technology Group dedicated server and the right information data policies.