Any company handling Protected Health Information (PHI) or working with Electronic Medical Records (EMR) is required to go through an annual HIPAA assessment which ensures all proper safeguards are in place. The assessment preparation process requires strong data center expertise and experience in the healthcare IT space. The assessment can be done with an in-house IT team, but often times, organizations don’t have the knowledge and/or resources to handle necessary requirements. There is another option though. Over the last several years, many organizations have been opening up to the concept of employing a HIPAA Compliant hosting providers. Outsourcing this task can help free up IT teams to focus on growing the business as oppose to worrying about compliance. Having a trusted vendor is extremely important as there is a lot at stake- first and foremost we are talking about patients’ personal health records! Secondly, improper security features can lead to a breach and a $1M+ fine from Office for Civil Rights(OCR), likely shutting down the business. Due to these and a variety of other reasons the company’s CIO should be confident the information is 100% secure at all times. Here is a list of the top questions to ask when evaluating hosting providers.
Now that we’ve covered some of the basic reasons, let’s dive into what HIPAA Compliant Hosting is.
In simple terms, it’s a set of comprehensive security and support features designed to help customers maintain their HIPAA Compliance through a hosted environment. We should note that it only applies to the data center infrastructure. Things such as office building security and proper employee training are still the organization’s responsibility.
Here at Connectria we recommend setting up a highly available (HA) private cloud environment. In this setup, servers have redundancy built in and compute resources are not shared with other customer’s environments eliminating potential security risks. This setup also integrates multiple types of backups in case of an emergency such as a natural disaster. Local backups are placed on a secondary disc within the data center and are available for fast data recovery. The data is also spun off to tape and sent to a facility outside the data center, addressing the off-site storage clause within the HIPAA regulations.
In order to meet HIPAA standards data must be kept in a manner that is unreadable, undecipherable, and inaccessible to outside parties. Connectria addresses this clause via encryption of data both in-motion and at rest, including the backups mentioned above. Connectria utilizes a dedicated firewall that gives users the ability to establish a VPN connection to the server. Data is encrypted as it is moving in-between the local machine and the server. This establishes a fully secure connection.
But there is one more essential component to a HIPAA Compliant hosting plan we haven’t talked about yet… the managed services! At Connectria, everything from management of the OS, antivirus, vulnerability scanning and 24/7/365 monitoring is included as part of the customer’s monthly fee. No more waking up in the middle of the night for server issues, there is a dedicated team now handling this task.
As with any business partnership involving healthcare information, a BAA must be signed between the Covered Entity (the customer) and the Business Associate (hosting provider). The new Omnibus regulations being gradually rolled out by the OCR have evened out the liability between the two parties. In other words, everyone involved in the process is on the hook in case of a breach.
Connectria has gone through hundreds of HIPAA assessments on behalf of our customers over the years and we don’t take HIPAA Compliance lightly. For the sake of your business, and your well-being, you shouldn’t either. Talk to a pre-sales engineer who can further explain all that’s involved in HIPAA Compliant Hosting. Contact us online or by phone at 1-800-781-7820.