Top 10 HIPAA Compliant Cloud Hosting Platforms

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the confidentiality and security of health care information. It pertains to organizations that provide medical care and/or maintain personal health information (PHI).

Read More: Top 15 Best PCI Compliant Web Hosting 

HIPAA Privacy & Security – Dual Protection

HIPAA comprises several sections that set the standards for receiving, transmitting and maintaining health care information, and ensuring the privacy and security of individual identifiable information.

Two of these sections directly pertain to organizations that manage electronic protected health information (e-PHI):

HIPAA Privacy Rule – The HIPAA Privacy Rule protects the privacy of individually identifiable health information, and provides patients’ rights over their health information.

HIPAA Security Rule – The HIPAA Security Rule sets national standards for the security of e-PHI. It establishes the technical and non-technical safeguards that ensure the protections set forth by the HIPAA Privacy Rule.

HIPAA Checklist

As they prepare for the implementation of the new rules, Covered Entities (CEs) should, at minimum, conduct the following:

• Review and update HIPAA policies and procedures.
• A review should pay particular attention to those policies and procedures that relate to marketing, sale of PHI, fundraising, notices of breach, disclosures to schools, disclosures involving deceased individuals, disclosures to family members and use of genetic information.
• Revise and disseminate a Notice of Privacy Practices (NPP). The NPP should account for changes to uses and disclosures under the new rules. This is especially important for health plans who must notify members that the plan is now prohibited from using or disclosing genetic information for underwriting purposes.
• Evaluate and update a covered entity’s BA agreements. Determine whether the inventory of BA agreements captures all the BA relationships now that the definition of BAs has changed and been clarified. Furthermore, given the new clarifications, covered entities may determine that some BA agreements are no longer necessary, such as between providers involved with the treatment of an individual or in an OHCA.
• Discuss with BAs the need for BA agreements with BA subcontractors. It would not hurt to gently remind BAs about their obligations under the final rules.

HIPAA Business Audit

A HIPAA breach can happen to any business, regardless of size. If you manage Electronic Protected Health Information (e-PHI), then you are fair game for a HIPAA audit. One misstep in your HIPAA IT compliance can mean bankruptcy, not to mention the risk of criminal incarceration.

• Between 25 percent to 27 percent of all HIPAA breaches involve a business associate, with some as high as 64 percent.
• 31.3 million individuals have had their protected health information compromised in a large HIPAA breach (involving 500 people or more) since 2009.
• Medical-related identity theft accounts for 43 percent of all identity thefts reported in the United States.
• learn even more about HIPAA Audits hhs.gov

Even if the mistake had reasonable cause and was an accident – you still can pay between $1,000 and $50,000 per violation. This means that even if only three client electronic medical records are compromised by mistake – your business will still owe up to $150,000. However, with HIPAA breaches, it’s usually dozens, if not hundreds, of electronic medical records that are compromised. This can mean up to $1.5 million AND up to one year of incarceration.

Contact a HIPAA IT professional today to learn how you can protect your business from a HIPAA breach.

A simple solution to HIPAA Compliance for your digital records

HIPAA is wrought with rules and regulations, but in the end it is up to your organization to determine what you need to do to achieve HIPAA compliance. This allows for flexibility, but also generates a great deal of uncertainty. The most important thing to consider is the fact that any entity that stores, transmits, and/or processes e-PHI must adhere to all HIPAA compliance rules. Therefore, these rules and requirements apply not only to patient care, but also to your data center and IT infrastructure.

If you are in the process of ensuring that your organization is HIPAA compliant, you are likely debating whether to keep your data hosting in-house or outsourcing. Regardless of which option you choose, all data must comply with HIPAA rules and regulations.

A HIPAA compliant computer network at a medical practice requires the following:

• Antivirus
• OS Patch & Change Management
• Off-Site Backup  (encrypted)
• Off-Site Disaster Recovery
• 24/7 Monitor and 1st Responder
• Business Associate Agreements
• HIPAA Trained Staff & Policies
• Log management / 1 year retention policy
• Access control documentation (physical safeguards & virtual safeguards)

Read More: Top 11 PCI Compliance Software Solutions

The Omnibus Rule and the HITECH Act require any organization that manages, stores, and/or transmits personal health information (PHI) to meet HIPAA compliance standards. This likely means you must significantly revamp your IT infrastructure to comply. This is where a HIPAA hosting provider can help.

[block_reclama1]

---

Top 10 HIPAA Compliant Cloud Hosting Platforms:

---

WHOA

Whoa HIPAA Compliant Cloud solutions provide security, compliance, data integrity, encryption, accountability, and perimeter solutions.

CLEARDATA

ClearDATA is the leading healthcare-exclusive cloud provider with extensive expertise in the security and compliance needed to protect sensitive healthcare data. Our work allows you to focus on yours – providing superior healthcare.

BOX

Securely manage healthcare files with HIPAA compliant file sharing and management solutions. Protect patient records, insurance info, and other vital data.

COGNIZANT

Cognizant’s HIPAA-compliant healthcare cloud infrastructure solution provides a highly scalable, readily available and secure AWS architecture. Learn more.

CARECLOUD

Power your apps & technology with the same enterprise-class application platform that powers ours.

ILAND

The iland Secure Cloud platform provides advanced security and on-demand reporting features that smooths the way for healthcare companies to get the data they need to show compliance with HIPAA regulations.

AWS.AMAZON

Entities subject to HIPAA compliance can use AWS to process, maintain, and store protected health information. Learn how AWS can help your business.

CLOUD.GOOGLE

Our products regularly undergo independent verification of security, privacy, and compliance controls, achieving certifications against global standards to earn your trust. We’re constantly working to expand our coverage.

ATLANTIC

Atlantic offer hosting Solutions customized to your business needs – cloud, managed, dedicated, HIPAA compliant, and more. Get a free consultation today!

DASHSDK

For HIPAA compliant hosting & cloud services, organizations turn to the Dash Solutions platform for configuring and managing HIPAA in Amazon Web Services (AWS), Google Cloud Platform and Microsoft Azure and other public cloud services. Contact the experts and schedule a free HIPAA Assessment today.

---

***

Why The Cloud?

The table below displays the advantages of outsourced HIPAA compliant cloud hosting provider over traditional hosting (i.e. in-house servers/data center).

Anti-Virus
Outsourced Cloud Hosting	Traditional In-House Hosting
Real-time identification of and response to threats Powerful antivirus is included in the monthly service plan	Reliance upon insufficient antivirus software, (often only the kind that comes with the computer) or expensive third party protective services
OS Patch & Change Management
Outsourced Cloud Hosting	Traditional In-House Hosting
Hardware/software, internal upgrades managed by HIPAA-trained IT staff. All services are included in the monthly service plan	Hardware/software, user-logs, internal upgrades are not updated or protected appropriately – or they may be outsourced to expensive 3rd parties
Off-Site Backup
Outsourced Cloud Hosting	Traditional In-House Hosting
Data is replicated and encrypted (both in-transit and at-rest) in separate off-site locations Swift data recovery Proactive to avoid security threats All backup/disaster recovery is included in the monthly service plan	Irregular backup procedures conducted by a staff member with minimal IT knowledge Unencrypted data Should a data loss incident occur, the data takes months to recover Reactive to security threats
24/7 Monitor and 1st Responder
Outsourced Cloud Hosting	Traditional In-House Hosting
24/7 HIPAA Security Officer All security alerts are conducted in real-time All services are included in the service plan	Either no 24/7 monitoring activities or outsourced to expensive 3rd party
Business Associate Agreement
Outsourced Cloud Hosting	Traditional In-House Hosting
All BAAs are drafted and maintained by HIPAA legal professionals as part of the monthly service plan	Do not have a BAA unless they outsource to 3rd parties, and these are often not drafted according to HIPAA standards
HIPAA Trained Staff & Policies
Outsourced Cloud Hosting	Traditional In-House Hosting
Access to professional legal council regarding all HIPAA requirements and policies, which are constantly changing – all included in the monthly plan	Lack of professional legal advisement for compliance with technical, security, and administrative HIPAA regulations

HIPAA Compliant Backup

An IT disaster has costly ramifications for organizations of any type. But when disaster strikes a HIPAA Covered Entity (CE) or a Business Associate (BA), these ramifications are tenfold.

Ranging from natural disasters to man-made chaos, countless forms of unavoidable IT disasters threaten your organization. And it’s not a matter of ‘if’ but a matter of ‘when’ an IT disaster will occur. If your backup system is not compliant to HIPAA, then you are held liable, which translates into a HIPAA breach, closely followed by civil and even criminal charges.

But, there is another, even more serious ramification of HIPAA non-compliance and data loss – the violation of patient trust. You can’t put a price tag on that.

Data Backup & Your HIPAA Contingency Plan

HIPAA requires all CEs and BAs to create a Contingency Plan to establish strategies, policies and procedures for responding to an emergency or other occurrence (e.g. fire, vandalism, system failure, or natural disaster) to protect and recover access to electronic protected health information (e-PHI).

Among the requirements outlined by the Contingency Plan is to create a Backup Plan that will establish and implement procedures to create and maintain retrievable and exact copies of your e-PHI. It is also required that the Backup Plan must undergo periodic testing, with revisions being applied when necessary to maintain your HIPAA compliance.

Protecting The Three Pillars of HIPAA Security

When patients are in crisis, the confidentiality, integrity, and availability of their medical records can mean the difference between life and death. In order to protect your patients and your organization, your Backup System must protect three aspects of e-PHI:

• Data confidentiality: Information will not be disclosed to unauthorized individuals or processes.
• Data integrity: The condition of data or information has not been altered or destroyed in an unauthorized manner. Data from one system is consistently and accurately transferred to other systems.
• Data availability: Data or information is accessible and useable upon demand by an authorized person.

What Needs to be Backed Up?

CEs and BAs must establish and implement procedures to create and maintain retrievable exact copies of e-PHI. To do this, they must back up all data and application configurations at an offsite location. This includes, but is not limited to, the following:

• Patient accounting systems, electronic medical records, health maintenance, and case management information
• Digital recordings of diagnostic images
• Electronic test results
• Any other electronic documents created or used

What are HIPAA Compliant Backup Procedures?

HIPAA requires the strictest of backup procedures, which include, but are not limited to, the following:

• All hardware systems must be redundant.
• Mission-critical hardware systems (e.g., database servers, network routers, connections to the Internet) must be duplicated.
• Data are encrypted and backed up frequently, and transferred to an off-site storage location at least weekly.
• System backups must be tested (e.g., restored to the test environment) on a monthly basis.
• EHR downtime and reactivation policies and procedures are complete, available, and reviewed regularly.

Additional Requirements – Physical Safeguards

CEs and BAs must also create a retrievable, exact copy of e-PHI, on demand before movement of any equipment.

HIPAA Email Encryption

The Privacy Rule gives patients the right to request that their e-PHI be transmitted via email. The Security Rule requires the covered entity (CE) and/or the business associate (BA) to protect the integrity of, and restrict access to, the content of the email. This requires a HIPAA compliant email service provider that meets the stringent HIPAA requirements for data protection and data encryption over open networks.

How Email Works

It’s easier to understand HIPAA compliant email hosting once you understand how email works.

When you send an email, you connect with an Email Service Provider who then connects to other Email Service Providers before sending the email on to the recipient.

The worst-case scenario (which is the most common scenario) is that the email sender’s server, the email service providers’ servers, and the email recipient’s servers are NOT protected by encryption. So the email that is sent and received through the Internet is unsecured, wide open, and vulnerable to be intercepted and/or stolen by hackers. This is a leading cause of HIPAA breaches.