Date post: | 04-Apr-2018 |
Category: |
Documents |
Upload: | steveepstein |
View: | 214 times |
Download: | 0 times |
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 1/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 1 of 36
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 2/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 2 of 36
HIPAA Compliant Data Centers
1.0. Executive Summary......................................................................................................... 3 2.0. Impact of HITECH and HIPAA on Data Centers .............................................................. 3 3.0. What is a HIPAA Compliant Data Center? ....................................................................... 5
3.1. Administrative Safeguards ............................................................................................... 5 3.2. Physical Safeguards ........................................................................................................ 6 3.3. Technical Safeguards ...................................................................................................... 7 3.4. Organizational Requirements .......................................................................................... 8
3.4.1. Business Associate Agreements ........................................................................... 9 3.5. HIPAA Compliant Data Center Architecture ................................................................11
3.5.1. Requirements ...........................................................................................................12 3.5.2. Enhanced Security ...................................................................................................14
4.0. Outsource vs. In-House Hosting .........................................................................................16 4.1. Benefits of Outsourcing Hosting .....................................................................................16 4.2. Risks of Outsourcing.......................................................................................................17
5.0. Vendor Selection Criteria ................................................................................................19 5.1. HIPAA Compliant Business Associates .......................................................................19 5.2. Other Key Data Center Considerations .......................................................................22
6.0. Conclusion .........................................................................................................................27 7.0. References .........................................................................................................................28
7.1. Questions to Ask Your HIPAA Hosting Provider .............................................................28 7.2. Example BAA .................................................................................................................29 7.3. Data Center Standards Cheat Sheet ..............................................................................35
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 3/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 3 of 36
1.0. Executive Summary
The increasing pressure to implement meaningful use, reduce healthcare costs, and improve
care outcomes while still protecting patient interests has led to strategic review and overhaul bymany healthcare providers and vendors. Evaluating outsourcing options to allow industry
experts to manage parts of the healthcare IT components is an obvious part of the equation,
and the intensive capital expense, human resource, security, and maintenance demands
specific to data centers make these prime candidates for cost savings.
However, balancing the resource benefits of outsourcing data center and hosting services with
the risks of engaging an off-premise business associate is daunting in the wake of increasing
PHI (protected health information) breaches and penalties. Ultimately, finding the best blend of
resources that can fulfill the availability, integrity, and confidentiality requirements to protect
ePHI (electronic protected health information) - and thereby protecting the patients, covered
entities, and business associates - is the challenge at hand.
This white paper explores the impact of HITECH and HIPAA on data centers. It includes a
description of a HIPAA compliant data center IT architecture, contractual requirements, benefits
and risks of data center outsourcing, and vendor selection criteria.
2.0. Impact of HITECH and HIPAA on Data Centers
Protecting the confidentiality, integrity, and availability of electronic protected health information
(ePHI) is the essence of the HIPAA Security Rule1. Since data centers typically store, transmit,
or process ePHI, they must comply with the HITECH standards and citations to meet HIPAAcompliance. The same risk analysis, administrative safeguards, physical safeguards, technical
safeguards, and ongoing due diligence apply just as much in the data center as in a provider’s
facility.
While there is some debate about the responsibilities of business associates for the protection
of ePHI, all indications point towards business associates being held as responsible as covered
entities. Consider the latest notice of proposed rulemaking that speaks to the extension of
responsibilities from covered entities to business associates:
As with the Privacy Rule, the Security Rule requires covered entities to have contracts or
other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic
1U.S. Dept. of Health and Human Services, HIPAA Security Series: Basics of Risk Analysis and Risk Management ;
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 4/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 4 of 36
protected health information they receive, create, maintain, or transmit on behalf of the
covered entities.2
Moreover, both covered entities and business associates should bear in mind that prosecution
by the Office of Civil Rights (OCR) under HITECH is not the only legal concern. The last year
has witnessed an increase in state and consumer lawsuits against both covered entities andbusiness associates. In January 2012, Minnesota Attorney General f iled a lawsuit against
Accretive Health, for failing to protect the confidentiality of over 23,000 patient healthcare
records.3
The safest and most diligent practice to protect ePHI is to ensure that the same policies, risk
management, safeguards, and ongoing compliance governance standards are followed no
matter where ePHI resides. This means that data centers, whether in-house or outsourced,
need to fully embrace complete responsibility for ePHI. In the areas of administrative
safeguards, such as ongoing HIPAA awareness and training for all employees, healthcare
providers tend to be stronger. In the areas of technical safeguards and PHI availability,
2U.S. Dept. of Health and Human Services, Federal Register Part II ;
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf
3Minnesota Attorney General, Attorney General Swanson Sues Accretive Health for Patient Privacy Violations ;
http://www.ag.state.mn.us/Consumer/PressRelease/120119AccretiveHealth.asp
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 5/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 5 of 36
professional data center companies that invest extensively in redundant facility infrastructure
and security may be the safer bet.
Ideally, either a healthcare provider would have infinite resources to build and maintain multiple,
high-availability data centers or a data center hosting business associate would have a thorough
understanding of HIPAA compliance including a HIPAA security risk analysis and management,policies, training of all employees, and ongoing HIPAA compliance audits. While both ideals
exist, they are in the minority. In these cases, the weighing of the pros and cons falls back to the
risk analysis and management to choose the best option that will maintain ePHI confidentiality,
integrity, and availability.
3.0. What is a HIPAA Compliant Data Center?
Data centers need to adhere to the administrative, physical, and technical safeguards and
standards set forth by the HITECH act to be HIPAA compliant. Following is a brief review of the
administrative, physical, and technical safeguards with specific notes applicable to data centers.
3.1. Administrative Safeguards
The Security Management Process described under 164.308(a)(1) includes requirements for
HIPAA Risk Analysis and Risk Management, which “form the foundation upon which an entity’s
necessary security activities are built.” (68 Fed. Reg. 8346.)”4
Start by reviewing the data center’s HIPAA Report on Compliance, sometimes referred to as an
HROC. Providers who maintain their own data centers are likely to have this included in their
risk analysis and management plan already. This can serve as a useful point of comparison
across the various HIPAA standards, citations, and implementation specifications when
outsourcing to a third-party data center business associates.
Data center providers who have invested in an independent HIPAA risk assessment should
provide a copy of their HIPAA compliance report upon request, at least under NDA. When a
data center business associate can provide a HIPAA compliance report, it will save covered
entities (CEs) significant costs of evaluating HIPAA compliance, which should happen in
advance of entering into a partnership. If a CE elects to outsource data center hosting services
to a business associate that does not have, or does not provide, an independent HIPAA report
on compliance available, the CEs will have to bear the burden of evaluating compliance and
proving due diligence.
Other Administrative Safeguards that should be in place in all data centers that store, transmit,
or process ePHI include:
4U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Basics of Risk Analysis and
Risk Management ; http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 6/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 6 of 36
● Assigned Security Responsibility 164.308(a)(2)
● Workforce Security 164.308(a)(3)
● Information Access Management 164.308(a)(4)
● Security Awareness and Training 164.308(a)(5)
● Security Incident Procedures 164.308(a)(6)
● Contingency Plan 164.308(a)(7)● Evaluation 164.308(a)(8)
● Business Associate Contracts and Other Arrangements 164.308(b)(1)
3.2. Physical Safeguards5
STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS
Facility Access
Controls
§ 164.310(a)(1) Contingency Operations
Facility Security Plan
Access Control and Validation Procedures
Maintenance Records
Workstation Use § 164.310(b)
Workstation Security § 164.310(c)
Device and Media
Controls
§ 164.310(d)(1) Disposal
Media Re-use
Accountability
Data Backup and Storage
Nothing beats an on-site visit to ascertain the level of security. Think of it this way: this data
center might hold the data of hundreds, or thousands, of your patients. You want to feel the
same sense of solid trust and ease from your visit - the same way you want your patients to feel
towards their own care providers. As an extension of a covered entity, the business associate
should foster a sense of expertise, careful procedure, and a willingness to communicate openly
about questions and policies. Imagine the first night of sleep after moving your PHI to this place
- will you sleep soundly, or lie awake in dread?
Things to check for include the following:
● Two-factor authentication - If not personally escorted, anyone in the data center should be wearing a badge to identify them and need at least 2 forms of identification for
access such as badge and access code, or biometric fingerprint scanner and badge. If
5U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Physical Safeguards ;
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 7/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 7 of 36
you go for a data center visit and are not asked to sign-in and wear a badge, security
should be considered less than adequate.
● Prolific use of video surveillance - Ask to see the video logs and how long they are
kept (should be at least 90 days).
● Visitor logging - The entries in the logbook should directly match the video surveillance
tapes. Ask when the last independent auditor confirmed the match of visitor logs with thevideo archives. Ask who the auditor was and investigate the auditor’s company to
confirm their credibility.
● Procedure Documentation - Ask to review the documentation for the procedure to
allow access by unannounced visit, phone call, or email. Don’t just ask the security or
compliance officer - ask anyone. If there is a consistent policy and procedure in place,
you should get a consistent and reassuring answer.
3.3. Technical Safeguards6
STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS
Access Control § 164.312(a)(1) Unique User Identification
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption
Audit Controls § 164.312(b)
Integrity § 164.312(c)(1) Mechanism to Authenticate Electronic Protected
Health Information
Person or Entity
Authentication
§ 164.312(d)
Transmission Security § 164.312(e)(1) Integrity Controls
Encryption
The HIPAA Security Rule does not require specific technology solutions, but it does outline the
standards and implementation specifications. The Rule’s intent is to allow covered entities the
flexibility to determine which security measures are a good fit for their company, depending on
size and different needs.
6U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Technical Safeguards ;
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 8/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 8 of 36
The HHS provides guidance around the implementation specifications below:
Unique User Identification – Assign a unique user ID to each employee that can allow
your company to track user activity while the user is logged into an information system.
Emergency Access Procedure – Establish a written procedure outlining the protocol to
access ePHI in the event of an emergency, including policies around who needs access
and possible ways to gain access. Automatic Logoff – Automatic logoff should be implemented on every workstation with
access to ePHI after a certain period of inactivity.
Encryption and Decryption – This is not required, but instead recommended as a
safeguard to be implemented only if deemed reasonable and appropriate for the covered
entity. Determine which ePHI or software programs are appropriate for encryption.
Audit Controls – This refers to implementing a system that logs and monitors activity on
information systems with ePHI.
Authentication – Intended to protect the integrity of ePHI, the existing systems should
have functions or a process to check for data integrity, such as digital signatures. When
it comes to person or entity authentication, proof of identity should include a password or pin, smart card, token, key and/or biometrics (fingerprints, facial patterns or voice
patterns).
Transmission Security – For integrity controls, the primary method to protect ePHI is
through the use of network communications protocols, although other methods include
data or message authentication codes. Encryption is another option to consider after
reviewing your company’s methods of transmission, frequency of transmission, and
potential issues found in your risk analysis.
3.4. Organizational Requirements7
STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS
Business associate
contracts or other
arrangements
§ 164.314(a)(1) Business Associate
Contracts
Other Arrangements
Requirements for
Group Health Plans
§ 164.314(b)(1) Implementation Specifications
Policies and Procedures
Documentation (Time Limit, Availability and
Updates)
7U.S. Dept.of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and
Procedures and Documentation Requirements ;http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 9/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 9 of 36
The Organizational Requirements found in the HIPAA Security Rule concern contracts and
agreements with business associates (BAs) and the policies, procedures and documentation
guidelines for group health plans.
Business Associate Contracts (or Agreements, BAA) – This ensures business
associates will implement the HIPAA safeguards to protect ePHI they receive or maintain on behalf of the covered entity. It also ensures that any subcontractors they
work with will also follow the safeguards. The agreement requires BAs to report all
security incidents and allow contract termination if any violations occur (read more about
BAAs below).
Other Arrangements – This is allowed only if the both the business associate and
covered entity are government entities, and they enter into a memorandum of
understanding (MOU) that addresses all of the objectives of a BAA.
Group Health Plans – The implementation specifications are the same as those
required for BAAs (above). Required policies, procedures and documentation must be
retained for a period of at least six years, be available via print or Intranet, and reviewed
and updated based on environmental or operational changes that affect ePHI security.
3.4.1. Business Associate Agreements
Not only does an effective business associate agreement need to be in place between covered
entities and their business associates; the contractors and vendors of the business associate
must also share and sign business associate agreements if there is any potential of access to
PHI data.8
The business associate agreement (BAA) is the ideal place to clarify the roles and
responsibilities between the covered entity and the business associate. For example, the OCR
requires the following documentation in the event of a PHI breach:
Documentation
Documentation of the covered entity’s admission, denial, or a statement indicating that
the covered entity has obtained insufficient evidence to make a determination regarding
the allegations.
Documentation of an internal investigation conducted by the covered entity in response
to the allegations including a copy of the incident report prepared as a result of the
laptop and server theft.
Documentation of the covered entity’s corrective action taken or plan for actions the
covered entity will take to prevent this type of incident from happening in the future,including documentation specifically addressing, if applicable:
8U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and
Procedures and Documentation Requirements ;http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 10/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 10 of 36
o Sanctioning of the workforce member(s) who violated the Privacy and Security
Rules, in accordance with the covered entity’s current policies and procedures,
and as required by the Privacy Rule.
○ Re-training of appropriate workforce members.
○ Mitigation of the harm alleged, as required by the Privacy Rule.
HIPAA Policies and Procedures
A copy of HIPAA policies and procedures related to the disclosure of and safeguarding
of PHI and specifically EPHI.
A copy of the policies and procedures implemented to safeguard the CE’s facility and
equipment.
Physical Safeguards
Evidence of physical safeguards implemented for computing devices to restrict PHI
access.
Business associate agreements and/or policies and procedures implemented to ensureBusiness associates have implemented the appropriate safeguards (if applicable).
Risk Assessment
A copy of the most recent risk assessment performed by or for the CE, per Security Rule
requirements.
Evidence of security awareness training for involved workforce members including
training on workstation security.
Evidence of the implementation of a mechanism to encrypt EPHI stored on the
workstations.
Breach Notification
A copy of the written notification of the breach provided to the affected individuals.
A copy of the written notification given to the media. This should include a list of all
media sources to whom this notification was given and any media reports (news stories
or articles) stemming from this notification.
Much of the required documentation requires months of planning and implementation. If you
sign a BAA today, and have a PHI breach tomorrow, are you confident that your data center can
provide the necessary information to respond in a thorough and timely manner to the OCR?
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 11/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 11 of 36
3.5. HIPAA Compliant Data Center Architecture
The diagram below shows elements of a HIPAA compliant hosting architecture.
To create this, we worked with Certified HIPAA Security Specialists and Certified HIPAAProfessionals who matched each HITECH standard, specification, and implementation with a
common technology application to meet Security Rule compliance.
Each element is described in the following pages.
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 12/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 12 of 36
3.5.1. Requirements
Antivirus
The Security Awareness and Training Standard of the HIPAA Security Rule (Section
164.308(a)(5))9
specifically calls out the need for “Protection from Malicious Software.” We alluse antivirus on our laptops, so using this on a server operates under the same premise: safety
and security for critical infrastructure. This is one of the most important elements of security you
can buy for the money for a managed server.
OS Patch Management
Routine OS patch management is required in today’s IT climate. And yes, there are many older
servers, older applications, and just plain old implementations out there that IT administrators
are scared to touch. These are, for example, the MS-SQL 2000 implementations that are
connected to disparate systems, ERP systems, and other legacy applications that IT managers
feel might break if patched. These are often unpatched due to lack of funding for application
redesign, and sheer terror on the part of some IT managers to implement change for the
security and good of the company.
With all the security bulletins, holes, bugs, zero-day exploits, viruses, and other security
vulnerabilities announced daily for operating systems, applications, and databases, a solid
process is needed to design a patch process that safeguards all systems. This includes
choosing one or more patch process tools, processes, and procedures, and then setting up a
unified test, staging, and production environment to test the patches.
Backup and Disaster Recovery
The HIPAA Contingency Plan standard described in section 164.308(a)(7)10
requires a databackup plan, disaster recovery plan, emergency mode operation plan, testing and revision
procedures, and application and data criticality analysis. Part of proving due diligence is holding
CEs and BAs responsible for ensuring PHI is not destroyed or lost in the event of a disaster.
Offsite data backups are imperative and offsite disaster recovery is strongly recommended.
Patient care is not a 9-5 job; a primary driver behind electronic health records is the portability
and availability of patients’ records to health care providers around-the-clock. Availability means
that PHI is always available, accessible and never lost. When a patient arrives in the emergency
room at two o’clock in the morning, the electronic health records need to be available so the
physician can address the emergency with all of the patient’s records at his fingertips.
9U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Administrative Safeguards ;
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
10U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and
Procedures and Documentation Requirements ;http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 13/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 13 of 36
Protecting healthcare data, and ensuring its availability means putting procedures in place to
mitigate disasters, and having a solid plan in-hand to activate when a disaster occurs. The
infrastructure to do this is defined by two perspectives:
1. Disaster Prevention - Putting all the tools in place to minimize the probability of an
outage in the data center infrastructure, server hardware, software and networkconnectivity.
2. Disaster Recovery - Assuring that the applications and data can be recovered and
restored in a reasonable timeframe to continue running the business and making patient
data available if a disaster occurs in the primary data center.
High Availability, Redundant Firewalls
Firewalls can help meet both administrative safeguard requirements to protect PHI from
malicious software (164.308(a) (5)) and the technical safeguard requirements to tightly control
access to PHI (164.312(a) (1)). The data center should be protected by redundant, or high
availability, firewalls so that if one fails due to a hardware, software, or power issue, a second
firewall can still stand between PHI and a malicious attack. Intrusion detection and intrusion
prevention capabilities should also supplement firewall protection, and are often a feature of
many modern firewall and universal threat management appliances.
Plan or evaluate with the knowledge that it’s not a matter of “if” a firewall fails, it’s “when” a
firewall fails. Look for every single point of failure in the data center and plan high-availability
redundancies anywhere they exist. For example, the firewalls should be plugged into separate
power strips that are connected to separate power feeds in the data center. If the redundant
firewalls are plugged into a single power strip that blows a breaker fuse, all redundancy is lost.
High Availability, Redundant RoutersRouters are responsible for passing data to and from the data center from the Internet. In order
to ensure that PHI is always available, the data center should use redundant routers to ensure
that data traffic can still continue when one router experiences a hardware, software or power
failure. Routers should be powered by separate power strips connected to separate power
feeds for true redundancy.
High Availability, Redundant Internet Service Providers
If the data center relies on a single Internet Service Provider (ISP), PHI availability will be at risk.
Ask if the data center that will be protecting your PHI has separate ISPs that connect via
different sides of the data center. Ask if the redundant service providers connect all the way to
the data center directly through the same or disparate last-mile connections – different last-milefiber connections will provide enhanced redundancy.
HIPAA Trained Staff and Documented Policies
The most secure technologies are rendered useless without a culture of processes that ensures
that secure policies and procedures are documented and consistently followed. Review of
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 14/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 14 of 36
independent audit reports should reflect a foundation of secure policies that guide day-to-day
operations.
HIPAA compliance also requires that all staff receive HIPAA security training and ongoing
security updates. Ask potential vendors if all members of their staff have received HIPAA
security training, where HIPAA compliance documents and policies are kept (every employeeshould know), and the date of the last training and security update. A company with a culture of
security and compliance will have answers readily at hand.
3.5.2. Enhanced Security
The following section describes additional enhanced security measures a CE can put in place to
further hedge against the risk of a PHI breach. While these enhanced protections come at an
additional cost to the IT budget, the cost of cleaning-up the aftermath of a breach are far greater
to the business.
Two-Factor AuthenticationOne of the weakest links in protecting PHI is the use of simple passwords. While it may seem
like common sense that passwords based on a spouse’s name, anniversary, or simple patterns
like “abc123” or “123456” are not sufficient to protect PHI, ensure there is a policy of using
complex passwords of at least 8 characters that combines lower case letters, upper case letters,
numbers, and special symbols. A policy of changing passwords regularly (every 90 days) is a
good start.
To protect against weak or stolen passwords, implement two-factor authentication. This requires
multiple forms of identification for a login such as a code and a username/password
combination. Biometric login systems may require a fingerprint along with a code or keycard.For the cloud and web-based applications, two-factor authentication systems require a
username, password, and a code that is sent to a mobile device by phone call or text message.
Ask your cloud provider if they provide dual-factor authentication services for VPN’s and web-
based logins or contract with a service such as Duo11 to improve PHI protection.
SSL Certificate (Web Apps)
To secure PHI data in a web-based application, an SSL (Secure Socket Layer) certificate is a
must. The SSL certificate is used by software that encrypts all data moving between two or
more end-points (i.e. from a browser, to a server containing the application or website). Since
many healthcare applications are now hosted in the cloud and accessed by browsers (Internet
Explorer, Chrome, Firefox), the SSL certificate is essential to proper security.
File Integrity Monitoring (FIM)
File integrity monitoring refers to ensuring the integrity of the files on a server. The basic
technique is the comparison of the current file to the known, safe baseline. While file changes
are expected and within the normal realm of daily interaction and activity, there are a few key
11Duo Security; http://www.duosecurity.com
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 15/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 15 of 36
changes that may trigger additional investigation such as a change of ownership, security
settings, or configuration values.
When the enhanced security of FIM makes sense, a separate server is often set up to perform
this function using one of many third party software applications to monitor and evaluate file
changes and alert administrators of any suspicious activity.
Web Application Firewall (WAF)
A web application firewall is specifically built to monitor website traffic for the transmission of
sensitive data and potentially block any network traffic that does not fit within the allowable
configuration. For PHI applications that involve a website where security is paramount, use of a
WAF may make sense. It is a powerful tool in the security toolbox for consideration, and can
prevent leakage of PHI data by unauthorized users.
Encryption
Encryption for data at rest and in transit is very strongly recommended. When transmitting PHI,
encrypted data should be sent over an encrypted connection for ultimate security. When using
encryption for PHI, one should follow the NIST (National Institute of Standards and Technology)
Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices
standards for encryption.12
Data at rest constitutes data stored on servers or backup systems (tape or disk) while not in
use. This data needs to be encrypted in case of disk theft or unauthorized access. Many data
breaches are due to lost or stolen unencrypted portable devices (laptops or smartphones) - PHI
should not be stored on portable devices, but instead in HIPAA compliant data centers that
serve the data to mobile devices. That way, thousands of patient records aren’t stored on any of
your computing devices, but instead in a secure location that can be accessed through a mobiledevice. This greatly improves your PHI security - if you lose the device, you won’t lose all of the
sensitive data as well.
Additionally, the HIPAA breach notification rule only requires reporting of unencrypted data
breaches in cases where 500 individuals are affected. If your data is encrypted and you
experience loss or theft of data, you are not required to notify the HHS, the media or any
affected individuals.13
12NIST, Special Publication 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health
Insurance Portability and Accountability Act (HIPAA) Security Rule ;http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
13U.S. Department of Health and Human Services, Guidance to Render Unsecured Protected Health Information
Unreadable, or Indecipherable to Unauthorized Individuals ;http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 16/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 16 of 36
4.0. Outsource vs. In-House Hosting
4.1. Benefits of Outsourcing Hosting
Save on Costs
Why would a covered entity with sensitive data outsource their hosting solution to a third-party?
A HIPAA compliant hosting provider that has already passed an independent HIPAA audit can
save time and money by eliminating the need to audit your vendor in addition to your own
business. While it does not release you of the obligation and responsibility of meeting
compliance, it helps you more readily achieve compliance and mitigate risk.
Additionally, managed hosting allows your IT team to focus on the applications directly related
to your business, not on the day-to-day details involved with server updates, data center
infrastructure, network management and security which can more readily be outsourced to a
trusted provider.
Security
A HIPAA compliant hosting provider can provide the latest tested and audited technology to
help achieve compliance and secure your ePHI. With a variety of required and recommended
security methods, you can trust experienced, certified professionals to maintain, monitor and
accurately generate logs of activity on your servers.
Outsourcing allows you to benefit from the various levels of security that a quality hosting
provider should have in place. These advantages include physical security, environmentalcontrols, logged access and video surveillance, and multiple alarm systems to detect
unauthorized access.
Network security includes protection of sensitive infrastructure, including managed servers,
cloud, power and network infrastructure built with redundant routers, switches and paired
universal threat management devices to protect sensitive information.
While the HITECH Act requires private accessibility on request by your patients, your
outsourced hosting provider should never access PHI, but instead build, maintain and monitor
the secure infrastructure that your sensitive information is stored and transmitted in.
Availability
The use of high-availability (HA) solutions in a fully redundant and compliant data center can
allow clients to increase their uptime and PHI availability. Using an HA infrastructure can reduce
the risk of business downtime due to a single point of failure. Outsourcing to a HIPAA hosting
provider means your business can take advantage of your data center operator’s design of
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 17/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 17 of 36
power connections, UPS (Uninterruptible Power Supplies) systems, generators, air conditioning
and networks.
Flexibility
Outsourcing allows you to benefit from the latest virtualization technologies, such as fifth-
generation VMware that dominates the market for applications that require a high degree of scalability. Choosing a high-performance managed cloud allows for the ability to scale servers
up and down as needed to respond to the demands of end-users with fast deployment time.
4.2. Risks of Outsourcing
However, the risks of outsourcing HIPAA compliant hosting to a service provider can mean
extending your circle of trust to include a third-party vendor. These service providers, known as
business associates (BAs), open your company up to the potential risk of a PHI breach.
According to HHS.gov, 62 percent of the total number of patient records breached involved a
business associate, increasing the need to thoroughly vet anyone that touches your PHI.
The stakes for both covered entities and business associates is getting higher, with HHS now
extending responsibility to protect PHI to all business associates throughout the “chain of trust.”
States are also exercising their rights to prosecute business associates under other provisions
besides the HITECH Act.
HIPAA Breach Fines and Penalties
A covered entity’s lack of due diligence can result in costly fines and penalties. The fines and
penalties for a HIPAA violation (a data breach, whether lost or stolen) range from $100 per
violation with a maximum fee of $25,000 for repeat violations to $50,000 per violation with a
maximum fee of $1.5 million.
14
The fine amount varies by different classification levels dependent on violation criteria, with
minimum and maximum penalties for first-time/repeat violations and annual fees:
14Office of Civil Rights, Federal Register Vol. 74, No. 209, Rules and Regulations ;
http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 18/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 18 of 36
HIPAA Violation Types and Penalties15
VIOLATION TYPE MIN. PENALTY MAX. PENALTY
Individual didn’t know they
violated HIPAA
$100/violation; annual max of
$25,000/repeat violations
$50,000/violation; annual
max of $1.5 million
Reasonable cause and not willful
neglect
$1,000/violation; annual max
of $100,000/repeat violations
$50,000/violation; annual
max of $1.5 million
Willful neglect but corrected with
time
$10,000/violation; annual max
of $250,000/repeat violations
$50,000/violation; annual
max of $1.5 million
Willful neglect and is not
corrected
$50,000/violation; annual max
of $1.5 million
$50,000/violation; annual
max of $1.5 million
Another category of a HIPAA violation is determined by covered entities and individuals thatknowingly breached the HIPAA regulations – for these, criminal penalties apply.
The maximum offense is a HIPAA breach committed with intent to sell, transfer or use
individually identifiable health information for personal/financial gain or malicious harm, resulting
in fines of $250,000 and imprisonment for up to ten years.
Ultimately, covered entities are held responsible when it comes to monetary and reputational
consequences, although responsibility will extend to include business associate in recent
proposed revisions to the HIPAA rules.
15American Medical Association, HIPAA Violations and Enforcement ; http://www.ama-assn.org/ama/pub/physician-
resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 19/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 19 of 36
5.0. Vendor Selection Criteria
5.1. HIPAA Compliant Business AssociatesWhen a covered entity decides to outsource HIPAA compliant hosting to a business associate,
they need to look for certain indicators of compliance to ensure due diligence in vetting their
service provider. Due diligence can help a covered entity prevent a potential data breach
resulting in costly fines and reputational and business damage.
HIPAA Report on Compliance (HROC)
As the number of reported data breaches and the cost of these data breaches to the healthcare
industry rise, it becomes imperative for a covered entity to select business associates that have
invested in an independent audit and can provide a copy of their audit report to ensure they are
following compliant policies and procedures.
Ask your HIPAA hosting provider if they can provide a copy of their independent audit report
(also known as a HIPAA Report on Compliance, HROC), stating they are compliant across all
54 HIPAA citations, 136 audited components and 19 standards.
HIPAA Certification vs. Compliance
Beware of data center operators that claim to be “HIPAA certified.” There is no governing body
or federally recognized HIPAA certification, for covered entities or business associates alike.
The correct term and usage is “HIPAA compliant,” meaning their policies, procedures,
technology and staff implement security controls that are aligned with the HIPAA rules.
While, in some cases, certification may mean they have taken an unofficial exam and passed
with knowledge of HIPAA-related material, it does not mean their facilities, staff or solutions are
actually compliant with the HIPAA standards. It also does not mean using their services will
make your company compliant.
Other Data Center Audits
While an HROC is specific to healthcare and the protection of PHI, other data center audits can
give you additional guidance and insight into a vendor’s ongoing compliance and level of
operating standards, as well as the quality of service you can expect to receive.
● SAS 7016 - The Statement on Auditing Standard No. 70 was originally used to measure
a service provider’s controls related to financial reporting and recordkeeping. Two types
are recognized by the AICPA (American Institute of CPAs) - Type 1 reports on a
16American Institute of CPAs, SAS No. 70 Transformed;
http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspx
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 20/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 20 of 36
company’s description of their operational controls, while Type 2 includes an auditor’s
opinion on how effective these controls are over a specified period of time. In both
cases, keep in mind that the audited company gets to specify the controls that they will
be audited against. Some specify only a handful of weak controls. Others specify dozens
of strong controls. Make sure you read the details of the controls.
● SSAE 16 - The Statement on Standards for Attestation Engagements No. 16 replacedSAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial
reporting. Type 1 reports on a data center’s description and assertion of controls, as
reported by the company. Type 2 provides a description of an auditor’s test the accuracy
of the controls and the implementation and effectiveness of controls over a specified
period of time. No two SSAE 16 audit reports are the same as there is no standard of
controls. Make sure you read the details of the controls.
● SOC 117 - One of the three new Service Organization Controls (SOC) reports developed
by the AICPA, this report measures the controls of a data center as relevant to financial
reporting. It measures the same controls as an SSAE 16 audit.
● SOC 218 - This report is a very detailed account of the technical aspects as they relate to
controls specifically concerning IT and data center server operators. The five controls
include security, availability, processing integrity (ensuring system accuracy, completion
and authorization), confidentiality and privacy. There are two types: Type 1 reports on a
data center’s system and suitability of its design of controls, as reported by the company.
Type 2 includes everything in Type 1, with the addition of verification of an auditor's
opinion on the operating effectiveness of the controls. This is the first AICPA audit to
begin standardizing controls so there is less variety between reports. However, since
every audit, auditor, and company are different, it is wise to read the details of the report
– don’t take it for granted.
● SOC 319 - This report includes the auditor’s opinion of SOC 2 components with an
additional seal of approval to be used on websites and other documents. The report isless detailed and technical than a SOC 2 report.
● PCI DSS20 - The Payment Card Industry Data Security Standards was created and
implemented by major credit card issuers and it applies to companies that collect, store,
process and transmit cardholder data. Data center operators that host cardholder data
need to have undergone a PCI audit to achieve an attestation of compliance report (the
17American Institute of CPAs, SOC 1: Report on Controls at a Service Organization Relevant to User Entities'
Internal Control over Financial Reporting ;http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Report.aspx
18American Institute of CPAs, SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability,
Processing Integrity, Confidentiality or Privacy ;http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc2report.aspx
19American Institute of CPAs, SOC 3: Trust Services Report for Service Organizations ;
http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc3report.aspx
20The PCI Security Standards Council, PCI SSC Data Security Standards Overview ;
https://www.pcisecuritystandards.org/security_standards/
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 21/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 21 of 36
latest version is 2.0), and they should have a full understanding of what technical
components can help your company meet the PCI requirements.
As with any type of audit, covered entities must review each individual compliance reports to
determine the full scope and depth of their applicability. Each SSAE 16 or HIPAA audit is unique
to each hosting provider.
Business Associate Agreement
The lack of a business associate agreement (BAA) implies negligence and may fall under the
HIPAA violation category of Willful Neglect. Check to make sure your business associate has a
thorough BAA with documented policies that discuss how they handle PHI, from breach
notification to contract termination and data ownership.
Part of your due diligence as a covered entity is to understand your hosting provider’s
documented policies and procedures when it comes to securing your data and handling a data
breach. Check for their timeline to notify covered entities in their breach notification policy - they
are required by law to do so in a timely manner, and subsequently, covered entities must notify
affected individuals within 10 days.21
Another key clause of a BAA should have terms and effective dates, with language around how
PHI will be handled after termination, including the return and destruction of data. Data
ownership, access and rights should also be discussed in the agreement.
PHI Breach Insurance Protection
Even if your business associate and your company have policies and procedures in place to
prevent a data breach, unexpected data loss can still occur. Covered entities may want to ask
for a copy of the business associate’s PHI breach insurance policy. This is impor tant to cover the cost of notification, investigation, litigation and any levied penalties. If the business associate
has been put out of business or severely compromised by the substantial costs of a breach, all
of the burden will fall upon the covered entity.
Insurance policies exist that will mitigate the costs of PHI breach notification, litigation and
penalties. It’s a basic protection every business associate should invest in.
HIPAA Policy Training
Your HIPAA hosting provider should have documented internal processes and policies that are
considered best practice. Within their organization, they should have an appointed Risk
Management Officer that oversees that the custom policies and procedures are being followed
and are in compliance with the HIPAA regulations.
21U.S. Department of Health and Human Services, Breach Notification Rule ;
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 22/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 22 of 36
The Risk Management Officer also conducts employee training to educate and implement the
HIPAA policies and procedures that affect the day-to-day operations of their organization.
Employee training is important when it comes to any business associate, as many data
breaches (and HIPAA violations) are a result of human error, or an employee mishandling
sensitive data, and not hacker-related. Ask your hosting provider for the most recent date of
their HIPAA policy training and percent of employees that have completed training during thevendor selection process.
5.2. Other Key Data Center Considerations
Ownership
As stated earlier, data ownership is especially important to review in your hosting contract and
BAA. Some providers reserve the right to access, allow access, and claim ownership of your
sensitive information while it is hosted on their servers or in their environment. This is an issue
that can occur especially in the cloud, as some cloud vendors may claim legal ownership of the
data once in their possession.
Another consideration is ownership and operation of the data center(s). Some hosting providers
will provide a service that is run in data centers owned and operated by different companies -
this further extends the “chain of trust” to include potentially unknown third-parties. If you have
no way of knowing who has access to or controls the environment that houses your servers, let
alone their level of compliance, you are putting your PHI and business at risk.
Geographical Location
Hosting facility location is another important consideration, as data centers located in certain
regions are more susceptible to natural disasters, risking the complete destruction of your data.
Choosing a data center located in a neutral, low-risk region such as the Midwest is one stepcloser to complete data safety.
Another factor is climate - a region that allows a data center operator to take advantage of
natural cooling for most of the year also allows you, as the client, to take advantage of their
operating cost-savings. It also reduces the risk of overheating and potential hardware failure
that could affect your data availability.
Knowing where your data lives is key consideration - if your data leaves the country, do you still
have control of it? Data centers operating outside of the country do not have to comply with
HIPAA regulations, as HIPAA is created and enforced by the United States Department of
Health and Human Services. Once your data travels overseas, it is possible you will be put atrisk of a data breach or HIPAA violation, since international vendors are not required to observe
our federal security regulations.
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 23/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 23 of 36
Disaster Recovery
The HIPAA Security Rule was created to protect not only the confidentiality of ePHI, but also the
integrity and availability of patient records. According to the HHS, “integrity” means that ePHI is
not altered or destroyed in an unauthorized manner.22
Preserving the integrity of information means putting formal data backup and recovery plans inplace to ensure data can be accurately and quickly accessed in the event of a disaster or
failure. Location is important when it comes to offsite backup and disaster recovery - a copy of
your PHI in a separate location can preserve the integrity of your information.
The Security Rule also requires on-demand access to patient records, which, in turn, requires
high availability hosting and infrastructure. Choosing a data center operator with a well-designed
geographical separation between their data centers helps availability, as well as having multiple
power grids to further boost utility resiliency should one power provider experience a prolonged
outage.
Data Destruction
The HHS’s guide on specifying technologies and methodologies that render protected health
information unusable, unreadable or indecipherable to unauthorized individuals recommends
that paper, film, or other hard copy media must be destroyed or shredded in a manner that
would render PHI illegible. Electronic media must be wiped or destroyed consistent with NIST
standards outlined in the NIST Special Publication 800-88, Guidelines for Media Sanitization,
rendering PHI irretrievable.23
Ensuring the confidentiality of your sensitive data means knowing where your data goes after
you terminate your contract with your HIPAA hosting vendor. It also means knowing whether or
not there are any copies of the data leftover after you leave the vendor. If any archived,unencrypted PHI is found on backup tapes or servers, you are putting yourself at risk of a
HIPAA violation. Check your HIPAA hosting provider’s BAA for specific provisions on how they
will handle PHI after contract termination.
High Availability
A high availability (HA) hosting infrastructure is imperative to ensuring data is always
accessible. HA solutions increase uptime and availability and lower risks. It’s not a matter of “if”
something fails, it’s planning for “when” failures happen - and they will. In your evaluation of any
data center - yours or a third-party – you should endeavor to identify all of the single points of
failure. It’s worth an outside opinion if reviewing your own data center (nothing beats an
independent pair of eyes) and when visiting a potential data center Business Associate - ask the
hard questions whenever you suspect complete redundancy is not in place.
22U.S. Department of Health and Human Services, Summary of the HIPAA Security Rule ;
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
23U.S. Department of Health and Human Services, 45 CFR Parts 160 and 164 ;
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 24/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 24 of 36
With HA protection in place, providers can hedge against the loss of electrical power, network
connectivity disruptions, router failures, firewall attacks, cooling problems, and have peace of
mind knowing PHI is protected, available, and safe.
A managed HIPAA hosting solution takes into account several design factors to ensure nosingle points of failure exist. This is true for the data center infrastructure layer components, as
well as the individual servers and components in the rack.
The major design points for a successful HIPAA hosting implementation include building in
redundancies in critical equipment and infrastructure, including:
Power connections - Dual independent power feeds are run from disparate circuit
breakers, to two separate power supplies in the server. Each power supply on a server
is plugged into separate power strips in the rack. Power strips with digital amp load
readouts aid in monitoring power levels and help avoid tripping a circuit breaker, which
would shut down the entire power strip.
UPS systems - Uninterruptable Power Supplies (UPS) clean and distribute power and
provide backup power through a bank of batteries in the event of a power outage. The
clean power from the UPS is stable; therefore, any fluctuation in power, both power
surge and brown-out, is regulated by the UPS.
Generators - Each UPS is fed with one or more power feeds from the utility company.
The utility power feed is wed to multiple generators that run on either diesel or natural
gas. If utility power is lost, the UPS maintain stable power to the racks while the
generators start and provide backup power. Fuel supply contracts must be in place fromseveral vendors, and fuel delivery SLAs must be in place.
Air conditioning – N+1 redundant cooling is in place with environmental monitoring,
and scheduled maintenance plans to ensure the data center climate remains in the safe
zone.
Network connections, switch and firewalls - The network connectivity in a managed
cloud is designed to replicate the same redundancy as the power distribution so the
network and Internet connectivity offer no single source of failure. Each server in the
cloud should have at least two separate Network Interface Cards (NICs) that allow theserver to connect to the redundant HA network infrastructure. Each NIC in the server is
connected to different network switches, which disperse the network connectivity to all
servers contained within the cloud.
Each network connection is connected to a pair of redundant firewalls, which protects
traffic on each segment of the network from intruders and security threats. Additionally,
each firewall connection is connected to separate routers and network access switches.
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 25/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 25 of 36
These routers are then connected to multiple Internet Service Providers (ISPs) to
provide diverse network paths to and from the Internet.
Cloud Computing
Server and storage devices A high performance managed cloud relies on topnotch technology for server hosts and SAN
storage. Virtualization technologies like VMware (in its fifth generation) dominate the market for
applications that require a high degree of resiliency, security, and scalability. The ability to scale
up and down servers as needed also introduces flexibility into the managed cloud architecture,
so that clients can be responsive to the needs of their end-users.
VMware backed by name-brand SAN and server technology create the server and storage
platforms necessary to deliver highly available cloud solutions. Regardless of which brand of
hardware is chosen, using multiple server hosts allow VMware to failover to secondary hosts in
the event of a hardware failure, keeping critical systems online in the cloud.
And finally, a SAN with multiple redundant controllers and high-speed RAID disk systems are
designed to meet the performance and availability needs of virtualization environments for
today’s demanding applications. Today’s SANs’ combine intelligence and automation with fault
tolerance to provide simplified administration, rapid deployment, enterprise performance and
reliability, and seamless scalability.
Room to Grow
When choosing a HIPAA compliant hosting company, you want to partner with a business that
can give you room to grow. On-demand resources can be deployed rapidly with a managed
cloud solution, meaning you can easily scale servers up and down as needed.
Managed Services
With a managed hosting provider, you can take advantage of their managed services to ease
the burden on your own IT staff and resources. An investment in managed hosting services
means a trained and professional IT team can perform maintenance and updates, freeing up
your IT staff to focus on developing your core business and applications. Some of the managed
services available when you outsource include:
● Patch Management - Ask your potential vendor if they provide OS patch management
as a managed service. Why is patch management important? If your servers aren’tupdated and managed properly, your PHI and applications are vulnerable to hackers
and all types of malicious attacks against your systems. Your hosting provider should
provide notification of outstanding updates, path installation assistance and offer
different levels of patch management for optimal security.
● 24/7 Emergency Response - In the event of unauthorized access or a disaster/failure,
your hosting provider should have a responsive, trained support team ready to report
and remediate the issue. The faster a data breach is reported, the more time your
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 26/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 26 of 36
company will have to respond to the Office of Civil Rights (OCR) and compile the list of
documents they require.
● Proactive Server Monitoring - With a remote server monitoring service, you should be
able to check the status of your servers even if you’re not located at the data centers.
Your hosting provider should have a monitoring service that allows you to check your
current disk space or bandwidth usage, and your application, web and databaseperformance, all through a single-pane-of-glass portal.
If you were to choose to keep your hosting in-house, it is likely you may not have the resources
or budget to accommodate all of the features listed above, including the investment in capital
and hardware. Keeping operations in-house may require training or hiring of new staff to
manage server hardware, storage, virtual servers or data center infrastructure as you work to
implement and achieve HIPAA compliance with different technologies. One example is building
an offsite disaster recovery solution - some cloud hosting providers could provide a disaster
recovery solution at a significantly lower cost compared to the cost of building it internally.
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 27/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 27 of 36
6.0. Conclusion
With the right business associate that can prove compliance and fit the needs of your company,
you can safely outsource HIPAA hosting to a fully managed and audited data center operator.
Partnering with a provider that can implement the proper administrative, technical and physical
security means you can also take advantage of their managed service offerings to save on
internal resources better spent on your core business.
However, realizing the benefits of outsourcing requires doing your due diligence as a covered
entity in the vendor selection process to keep the integrity, confidentiality and availability of ePHI
consistent with federal standards. Extending the “chain of trust” to a third-party means you are
only as compliant as your weakest link - further emphasizing the need to carefully select your
vendors.
Here’s a quick review of what to look for in a HIPAA hosting provider:
● Review a copy of their HIPAA Report on Compliance (HROC) outlining the scope of their
independent HIPAA audit - this is essential to ensuring their data centers and solutions
are operating within compliance.
● Ask your HIPAA hosting provider what type of specific technologies should be
implemented, and a copy of their detailed operating policies and procedures.
● Check the dates of your vendor’s last employee training sessions, and the percent of
total employee completion. As a business associate, your hosting provider should have
an appointed Risk Management and Security Officer that oversees training and ongoing
compliance.
● Review their business associate agreement (BAA) that should outline the responsibilities
of both the business associate and covered entity, and their roles in protecting PHI from
contract start to termination. Check for a clause specifically related to their breach
notification timeline.
● Other considerations include an ideal data center location free from natural disasters
and designed for high availability and disaster recovery options, and contract clauses
relevant to data ownership, data center ownership and data destruction.
Meet with your potential vendor and verify all of the above are in place and that they are
regularly maintained and monitored. Outsourcing, when done right, can save a covered entitysignificant money and time and provide a high level of compliance and service quality while
avoiding the potential risk of a HIPAA violation.
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 28/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 28 of 36
7.0. References
7.1. Questions to Ask Your HIPAA Hosting Provider
1. Do you sign a BAA (business associate agreement) with documented and communicated
policies?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
2. What timeframe does your BAA promise clients for PHI breach notification?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
3. Who performed your independent HIPAA audit and do you provide copies of the audit report?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
4. What policies and technologies are used to protect my applications and PHI data?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
5. If disaster strikes, how long will it take before PHI is available again?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
6. Do you have documented policies and procedures?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
7. Are your employees trained to handle PHI and comply with HIPAA policies?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 29/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 29 of 36
7.2. Example BAA
Source: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
SAMPLE BUSINESS ASSOCIATE CONTRACT PROVISIONS 1 (Published in FR 67 No.157 pg.53182, 53264 (August 14, 2002))
Statement of Intent
The Department provides these sample business associate contract provisions in response to
numerous requests for guidance. This is only sample language. These provisions are designed
to help covered entities more easily comply with the business associate contract requirements
of the Privacy Rule. However, use of these sample provisions is not required for compliance
with the Privacy Rule. The language may be amended to more accurately reflect business
arrangements between the covered entity and the business associate.
These or similar provisions may be incorporated into an agreement for the provision of servicesbetween the entities or they may be incorporated into a separate business associate
agreement. These provisions only address concepts and requirements set forth in the Privacy
Rule and alone are not sufficient to result in a binding contract under State law. They do not
include many formalities and substantive provisions that are required or typically included in a
valid contract. Reliance on this sample is not sufficient for compliance with State law and does
not replace consultation with a lawyer or negotiations between the parties to the contract.
Furthermore, a covered entity may want to include other provisions that are related to the
Privacy Rule but that are not required by the Privacy Rule. For example, a covered entity may
want to add provisions in a business associate contract in order for the covered entity to be ableto rely on the business associate to help the covered entity meet its obligations under the
Privacy Rule.
In addition, there may be permissible uses or disclosures by a business associate that are not
specifically addressed in these sample provisions, for example having a business associate
create a limited data set. These and other types of issues will need to be worked out between
the parties.
Sample Business Associate Contract Provisions 2
Definitions (alternative approaches)
Catch-all definition:
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as
those terms in the Privacy Rule.
Examples of specific definitions:
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 30/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 30 of 36
1. Business Associate. "Business Associate" shall mean [Insert Name of Business
Associate].
2. Covered Entity. "Covered Entity" shall mean [Insert Name of Covered Entity].
3. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR §
160.103 and shall include a person who qualifies as a personal representative in
accordance with 45 CFR § 164.502(g).4. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually
Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
5. Protected Health Information. "Protected Health Information" shall have the same
meaning as the term "protected health information" in 45 CFR § 160.103, limited to the
information created or received by Business Associate from or on behalf of Covered
Entity.
6. Required By Law. "Required By Law" shall have the same meaning as the term
"required by law" in 45 CFR § 164.103.
7. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human
Services or his designee.
Obligations and Activities of Business Associate
1. Business Associate agrees to not use or disclose Protected Health Information other
than as permitted or required by the Agreement or as Required By Law.
2. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of
the Protected Health Information other than as provided for by this Agreement.
3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that
is known to Business Associate of a use or disclosure of Protected Health Information by
Business Associate in violation of the requirements of this Agreement. [This provision
may be included if it is appropriate for the Covered Entity to pass on its duty to mitigate
damages to a Business Associate.]4. Business Associate agrees to report to Covered Entity any use or disclosure of the
Protected Health Information not provided for by this Agreement of which it becomes
aware.
5. Business Associate agrees to ensure that any agent, including a subcontractor, to whom
it provides Protected Health Information received from, or created or received by
Business Associate on behalf of Covered Entity agrees to the same restrictions and
conditions that apply through this Agreement to Business Associate with respect to such
information.
6. Business Associate agrees to provide access, at the request of Covered Entity, and in
the time and manner [Insert negotiated terms], to Protected Health Information in a
Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an
Individual in order to meet the requirements under 45 CFR § 164.524. [Not necessary if
business associate does not have protected health information in a designated record
set.]
7. Business Associate agrees to make any amendment(s) to Protected Health Information
in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45
CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 31/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 31 of 36
manner [Insert negotiated terms]. [Not necessary if business associate does not have
protected health information in a designated record set.]
8. Business Associate agrees to make internal practices, books, and records, including
policies and procedures and Protected Health Information, relating to the use and
disclosure of Protected Health Information received from, or created or received by
Business Associate on behalf of, Covered Entity available [to the Covered Entity, or] tothe Secretary, in a time and manner [Insert negotiated terms] or designated by the
Secretary, for purposes of the Secretary determining Covered Entity's compliance with
the Privacy Rule.
9. Business Associate agrees to document such disclosures of Protected Health
Information and information related to such disclosures as would be required for
Covered Entity to respond to a request by an Individual for an accounting of disclosures
of Protected Health Information in accordance with 45 CFR § 164.528.
10. Business Associate agrees to provide to Covered Entity or an Individual, in time and
manner [Insert negotiated terms], information collected in accordance with Section
[Insert Section Number in Contract Where Provision (i) Appears] of this Agreement, to
permit Covered Entity to respond to a request by an Individual for an accounting of
disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
Permitted Uses and Disclosures by Business Associate
General Use and Disclosure Provisions [(a) and (b) are alternative approaches]
1. Specify purposes:
2. Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information on behalf of, or to provide services to, Covered Entity for
the following purposes, if such use or disclosure of Protected Health Information would
not violate the Privacy Rule if done by Covered Entity or the minimum necessary
policies and procedures of the Covered Entity:3. [List Purposes].
4. Refer to underlying services agreement:
5. Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information to perform functions, activities, or services for, or on behalf
of, Covered Entity as specified in [Insert Name of Services Agreement], provided that
such use or disclosure would not violate the Privacy Rule if done by Covered Entity or
the minimum necessary policies and procedures of the Covered Entity.
Specific Use and Disclosure Provisions [only necessary if parties wish to allow Business
Associate to engage in such activities]
1. Except as otherwise limited in this Agreement, Business Associate may use Protected
Health Information for the proper management and administration of the Business
Associate or to carry out the legal responsibilities of the Business Associate.
2. Except as otherwise limited in this Agreement, Business Associate may disclose
Protected Health Information for the proper management and administration of the
Business Associate, provided that disclosures are Required By Law, or Business
Associate obtains reasonable assurances from the person to whom the information is
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 32/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 32 of 36
disclosed that it will remain confidential and used or further disclosed only as Required
By Law or for the purpose for which it was disclosed to the person, and the person
notifies the Business Associate of any instances of which it is aware in which the
confidentiality of the information has been breached.
3. Except as otherwise limited in this Agreement, Business Associate may use Protected
Health Information to provide Data Aggregation services to Covered Entity as permittedby 45 CFR § 164.504(e)(2)(i)(B).
4. Business Associate may use Protected Health Information to report violations of law to
appropriate Federal and State authorities, consistent with § 164.502(j)(1).
Obligations of Covered Entity
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and
Restrictions [provisions dependent on business arrangement]
1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy
practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that
such limitation may affect Business Associate's use or disclosure of Protected Health
Information.
2. Covered Entity shall notify Business Associate of any changes in, or revocation of,
permission by Individual to use or disclose Protected Health Information, to the extent
that such changes may affect Business Associate's use or disclosure of Protected
Health Information.
3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure
of Protected Health Information that Covered Entity has agreed to in accordance with 45
CFR § 164.522, to the extent that such restriction may affect Business Associate's use
or disclosure of Protected Health Information.
Permissible Requests by Covered EntityCovered Entity shall not request Business Associate to use or disclose Protected Health
Information in any manner that would not be permissible under the Privacy Rule if done by
Covered Entity. [Include an exception if the Business Associate will use or disclose protected
health information for, and the contract includes provisions for, data aggregation or
management and administrative activities of Business Associate].
Term and Termination
1. Term. The Term of this Agreement shall be effective as of [Insert Effective Date], and
shall terminate when all of the Protected Health Information provided by Covered Entity
to Business Associate, or created or received by Business Associate on behalf of
Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return
or destroy Protected Health Information, protections are extended to such information, in
accordance with the termination provisions in this Section. [Term may differ.]
2. Termination for Cause. Upon Covered Entity's knowledge of a material breach by
Business Associate, Covered Entity shall either:
a. Provide an opportunity for Business Associate to cure the breach or end the
violation and terminate this Agreement [and the _________ Agreement/ sections
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 33/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 33 of 36
____ of the ______________ Agreement] if Business Associate does not cure
the breach or end the violation within the time specified by Covered Entity;
b. Immediately terminate this Agreement [and the _________ Agreement/ sections
____ of the ______________ Agreement] if Business Associate has breached a
material term of this Agreement and cure is not possible; or
c. If neither termination nor cure are feasible, Covered Entity shall report theviolation to the Secretary.
d. [Bracketed language in this provision may be necessary if there is an underlying
services agreement. Also, opportunity to cure is permitted, but not required by
the Privacy Rule.]
3. Effect of Termination.
a. Except as provided in paragraph (2) of this section, upon termination of this
Agreement, for any reason, Business Associate shall return or destroy all
Protected Health Information received from Covered Entity, or created or
received by Business Associate on behalf of Covered Entity. This provision shall
apply to Protected Health Information that is in the possession of subcontractors
or agents of Business Associate. Business Associate shall retain no copies of the
Protected Health Information.
b. In the event that Business Associate determines that returning or destroying the
Protected Health Information is infeasible, Business Associate shall provide to
Covered Entity notification of the conditions that make return or destruction
infeasible. Upon [Insert negotiated terms] that return or destruction of Protected
Health Information is infeasible, Business Associate shall extend the protections
of this Agreement to such Protected Health Information and limit further uses and
disclosures of such Protected Health Information to those purposes that make
the return or destruction infeasible, for so long as Business Associate maintains
such Protected Health Information.Miscellaneous
1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule
means the section as in effect or as amended.
2. Amendment. The Parties agree to take such action as is necessary to amend this
Agreement from time to time as is necessary for Covered Entity to comply with the
requirements of the Privacy Rule and the Health Insurance Portability and Accountability
Act of 1996, Pub. L. No. 104-191.
3. Survival. The respective rights and obligations of Business Associate under Section
[Insert Section Number Related to "Effect of Termination"] of this Agreement shall
survive the termination of this Agreement.
4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered
Entity to comply with the Privacy Rule.
1 This website version of Sample Business Associate Contract Provisions was revised June
12, 2006 to amend the regulatory cites to the following terms: "individual"; "protected health
information"; and "required by law."
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 34/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 34 of 36
2 Words or phrases contained in brackets are intended as either optional language or as
instructions to the users of these sample provisions and are not intended to be included in the
contractual provisions.
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 35/36
Visit http://www.onlinetech.com/hipaa for more information.
Copyright © Online Tech 2012. All Rights Reserved. page 35 of 36
7.3. Data Center Standards Cheat Sheet
SAS 70
The Statement on Auditing Standard No. 70 was the original audit to measure a data center’sfinancial reporting and recordkeeping controls. Developed by the AICPA (American Institute of
CPAs, there two types:
● Type 1 – Reports on a company's description of their operational controls
● Type 2 – Reports on an auditor's opinion on how effective these controls are over a
specified period of time (six months)
SSAE 16
The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June
2011. A SSAE 16 audit measures the controls relevant to financial reporting.
● Type 1 – A data center’s description and assertion of controls, as reported by the
company. ● Type 2 – Auditors test the accuracy of the controls and the implementation and
effectiveness of controls over a specified period of time.
SOC 1
The first of three new Service Organization Controls reports developed by the AICPA, this report
measures the controls of a data center as relevant to financial reporting. It is essentially the
same as a SSAE 16 audit.
SOC 2
This report and audit is completely different from the previous. SOC 2 measures controlsspecifically related to IT and data center service providers. The five controls are security,
availability, processing integrity (ensuring system accuracy, completion and authorization),
confidentiality and privacy. There are two types:
● Type 1 – A data center’s system and suitability of its design of controls, as reported
by the company.
● Type 2 – Includes everything in Type 1, with the addition of verification of an
auditor's opinion on the operating effectiveness of the controls.
SOC 3
This report includes the auditor’s opinion of SOC 2 components with an additional seal of
approval to be used on websites and other documents. The report is less detailed and technicalthan a SOC 2 report.
HIPAA
Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and
Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient
health data (medical records). When it comes to data centers, a hosting provider needs to meet
7/29/2019 Hipaa Compliant Data Centers White Paper
http://slidepdf.com/reader/full/hipaa-compliant-data-centers-white-paper 36/36
HIPAA compliance in order to ensure sensitive patient information is protected. A HIPAA audit
conducted by an independent CHP (Certified HIPAA Practitioner) and CHSS (Certified HIPAA
Security Specialist) can provide a documented report to prove a data center operator has the
proper policies and procedures in place to provide HIPAA hosting solutions.
No other audit or report can provide evidence of full HIPAA compliance.
Contact Us
Contact us for more information if you still have questions about HIPAA hosting or HIPAA
compliant data centers.
Bill Ryan
734-213-2020 ext. 107
April Sage
734-213-2020 ext. 113