By: Sagi Brody, CTO, Webair
The Health Insurance Portability and Accountability Act (HIPAA), a landmark piece of legislation initially introduced in Congress as the Kennedy-Kassebaum Bill, was enacted in 1996 and represented a broad Congressional attempt at healthcare reform. HIPAA came into being with two main objectives.
One was to ensure that individuals would be able to maintain their health insurance between jobs. This is the Health Insurance Portability part of the Act. The second part of the Act is the “Accountability” portion. This section is designed to ensure the security and confidentiality of patient information and data. In addition, it mandates uniform standards for electronic data transmission of administrative and financial data relating to patient health information. HIPAA applies to health plans, healthcare clearinghouses, and to healthcare providers that electronically transmit health information in connection with standard transactions.
Other measures soon followed, including the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into federal law in 2009 to promote the adoption of the meaningful use of Health Information Technology (HIT) in the United States. The HITECH Act laid the groundwork for widespread use of Electronic Health Records (EHRs). Further statutory requirements regarding patients’ privacy rights and protections were established in 2013, when the final HIPAA Omnibus Rule was passed to hold all custodians of Private Health Information (PHI) subject to the same security and privacy rules as covered entities under HIPAA.
Covered entities under HIPAA, including HIPAA Business Associates (BAs) such as Managed Service Providers (MSPs), are responsible for configuring their applications, platforms, websites and portals in a HIPAA-compliant manner and for enforcing policies in their organizations to meet HIPAA compliance. This even applies to BAs that don’t handle patient files directly.
Given e-security concerns and the looming threat of healthcare data breaches, these regulatory mandates are now non-negotiable, mission-critical concerns for today’s healthcare providers and enterprises.
While ensuring HIPAA-HITECH compliance can be a labyrinthine initiative for many entities, healthcare organizations that fail to do so face very stiff penalties. Sanctions for non-compliance can range anywhere from $100 per violation all the way up to $1.5 million per year.
The good news is that healthcare and enterprise customers can ensure their data is appropriately secure and in HIPAA-HITECH compliance by taking three simple actions.
- Ensure your provider has completed a HIPAA Matrix.
While no standard HIPAA certification for MSPs currently exists, a provider can request that a HIPAA Matrix be completed during a Statement on Standards of Attestation Engagements No. 16 (SSAE 16) audit certification. These audits, performed annually and typically by an independent, third-party auditor, will attest that the MSP properly conforms to HIPAA data privacy and security regulations.
Webair has completed a HIPAA Matrix in addition to achieving its SSAE 16 Controls at a Service Organization (SOC 1) Type 2 audit certification for both its data centers and service offerings. Webair’s data centers and Managed Hosting solutions, including Colocation, Dedicated Servers, Managed and Unmanaged Private Clouds, Managed and Unmanaged Public Clouds, Cloud Storage and IP Transit, are fully HIPAA-HITECH compliant. Our global network of facilities and extensive portfolio of services feature a number of safeguards to ensure maximum data protection and safe transmission of covered entities’ electronic Protected Health Information (ePHI).
- Sign a BAA.
BAAs are critical to ensuring healthcare or enterprise customers that their sensitive information is protected and secure. These contracts typically establish the BAs’ permitted / required PHI uses and disclosures in addition to identifying appropriate termination provisions. Webair is one of the few Managed Hosting providers that signs HIPAA BAAs with customers, demonstrating our commitment to the proper storage and security of ePHI for the healthcare and enterprise markets.
- Check for additional data security protocols.
In addition to signing BAAs, your providers should go the extra mile to fortify data security protocols across all services and infrastructure. This can accomplished in a number of ways. Among the many safeguards, too voluminous to mention in this space, Webair ensures that:
- Each customer is segmented into their own dedicated Virtual Local Area Networks (VLANs) for public Internet and internal communications, and that all data between shared storage platforms and customer infrastructure travels over that dedicated VLAN.
- Physical access to production servers and facilities is restricted.
- All managed services are firewalled by default for Secure Shell (SSH) and File Transfer Protocol (FTP).
- Multiple types of Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Firewall and Web Application Firewall (WAF) services are available to be added to any customer configuration.
At Webair, we assist healthcare providers and enterprise businesses with HIPAA-HITECH compliance, so they can rest assured knowing their sensitive data is safe and secure. Our Managed Hosting solutions and facilities, including our flagship NY1 data center on Long Island, are compliant to support HIPAA-HITECH compliance to improve efficiency, reduce risk and enable organizations to focus on their core business: healthcare services and patient care. To learn more about Webair’s HIPAA-HITECH compliant Cloud and IT Infrastructure solutions, click here.