10-01-13 | Blog Post
Last week marked an important deadline for physicians, HIPAA covered entities (CEs), business associates (BAs), and subcontractors to comply with HIPAA’s privacy and security requirements. Now any healthcare organization that supports the processing, facilitation, or collection of PHI (protected health information) must comply with the HIPAA and HITECH Act.
We had a chance to sit down with Online Tech’s Co-CEOs, Yan Ness and Mike Klein, and speak about Online Tech’s focus on the healthcare market; and how Michigan data centers help those in healthcare to meet HIPAA security and privacy requirements.
Online Tech knows that encryption is strongly advised and recommended by the Department of Health and Human Services.
The HIPAA Security Rule for healthcare organizations handling electronic protected health information (ePHI) dictates that organizations must:
In accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information. (45 CFR § 164.312(a)(2)(iv))
HIPAA also mandates that organizations must:
§164.306(e)(2)(ii): Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Protecting ePHI at rest and in transit means encrypting not only data collected or processed, but also data stored or archived as backups.
If encryption is not used by a covered entity or business associate, clear documentation of the risk analysis, the decision not to encrypt, and the specifics of protection must be in place to prove due diligence to protect ePHI (electronic protected health information).
“We know if your data is encrypted and the hard drive goes missing, it is not considered a breach,” says Klein. “And you if encrypt your data, you do not have to report a data breach to the government unless you have reason to believe that the encryption keys were compromised.”
Many clients have selected Online Tech because we are one of the few cloud hosting providers with an Office of Civil Rights audit protocol for HIPAA, says Klein. We can provide that audit to clients, under non-disclosure, and it can be used to show HIPAA compliance if the “HIPAA police come calling”.
Encrypted Cloud for Healthcare
The cloud computing industry has struggled on how to meet the data encryption requirements mandated by Health and Human Services. At Online Tech, we offer clients a high performance cloud environment with data automatically encrypted. Every single cloud server and all the content on that server is encrypted.
So, all of our clients who are accessing our multi-tenant and private cloud environment, all of their data is encrypted at rest. The encryption is done at the hardware level and at the SAN level with no encryption keys to manage and no encryption software to manage.
If you’re interested in learning more about encryption, including HIPAA compliance regulations and the technical options available, download Online Tech’s new whitepaper Encryption of Cloud Data.