HIPAA Hosting: What Is It and What It Means For Your Private Information
HIPAA hosting is reference to an application, website or data storage and hosting services that conform to HIPAA Security Rule’s physical safeguard requirements. HIPAA hosting is a necessity for application developers who must develop solutions that are HIPAA compliant.
Are you HIPAA Compliant With HIPAA Hosting?
You are not HIPAA compliant even with HIPAA hosting. HIPAA outlines the security and privacy rules that determine HIPAA compliance. HIPAA hosting focuses on just one aspect of the requirements. Even if your hosting applications are within an HIPAA compliant hosting environment, like Firehost or Amazon AWS, it doesn’t translate over to your application because just the physical safeguard requirements are addressed in the security rule.
In order to be compliant, you must the Administrative and Technical aspects of the Security Rule. Instead of you spending time and resources on developing them to ensure your app is HIPAA compliant, TrueVault will manage them for you.
What Information Must Be Stored In These Hosting Environment
Just some of the information contained in your eHealth or mHealth or wearable app needs to go in the HIPAA hosting environment. Anything deemed PHI, which is information in a medical file that can easily identify a person, must be in stored in an HIPAA file. PHIs are developed and used to provide medical service, with information such as:
- Medical records
- Health insurance information
- Billing information
- Any identifiable health information
Doctor’s notes, test results, MRIs, x-rays, patient communication, etc. are all deemed as being PHI. An HIPAA compliant web hosting environment is needed when a healthcare application has any of the above information.
ePHIs are digital copies of the above information, which means identifiable health information is produced, maintained and sent electronically. It, too, must be stored in an HIPAA compliant web hosting environment.
How Can Web Hosting Providers Ensure They Are HIPAA Compliant
There are two primary features a web hosting provider must have to ensure they are in compliance with HIPAA:
- Signed Business Associate Agreement – a necessity for service providers who will be handling and managing PHIs or ePHIs.
- Addressed the multitude of Physical Safeguard rules lined out in the HIPAA Security Rule such as:
- Contingency Operations – Create and carry out, when needed, actions that let a facility to access support in the event of an emergency where data is lost and must be restored, using the emergency mode operations and disaster recovery plans. (Addressable)
- Facility Security Plan – Put into action policies and processes that protect the facility and its equipment from unauthorized persons – theft, tampering, etc. (Addressable)
- Maintenance Records – Put into action policies and processes to note repairs and changes made to the physical aspects of a facility that relate to security – doors, locks, hardware, etc. (Addressable)
- Accountability – Maintain documentation of movements of electronic media and hardware and the person responsible. (Addressable)
- Access Control & Validation Processes – Put into action processes that control and authenticate a person’s access to amenities based on their function or role such as visitor control or access control to software programs for the purpose to test and revise. (Addressable)
- Data Backup & Storage – Develop a duplicate and retrievable copy of ePHI before moving equipment. (Addressable)
- Workstation Use – Put into action policies and processes that detail what functions will be carried out, how they’ll be carried out and the physical details of the workstations to access the ePHI. (Required)
- Workstation Security – Put into action physical safeguard for any ePHI-accessing workstation, restricting access to various users. (Required)
- Media Re-Use – Put into practice processes that delete ePHI from electronic media before it’s sold and reused. (Required)
- PHI Disposal – Develop and use policies and processes that effectively handle the disposition of ePHI hardware and electronic media where the information is stored.
Addressable vs. Required HIPAA Rules
Most of the above specifications are deemed as addressable. Any required specifications must be put into action by an HIPAA hosting. Addressable specifications must be carried out when it’s the right time to do so. Whatever the case may be, documentation must be made. Addressable implementation requirements are not voluntary. You must still have them.
The majority of HIPAA hosting companies must enact addressable provisions along with their security features.