If you collect, process, store or transmit protected health information (PHI), including medical records, you will need to be able to pass a HIPAA audit to meet HIPAA compliance. To meet security safeguards, certain technologies and procedures are recommended in the industry, even if not specifically outlined by HIPAA standards.
The rules and regulations in the Code of Federal Regulations (CFR) that pertain to HIPAA dictate that Online Tech, as a business that deals with clients’ PHI, must:
- Protect the availability, integrity and confidentiality of PHI
- Have Business Associate Agreements (BAAs) with clients who have PHI
- Report any violations of PHI misuse to the OCR (the Office of Civil Rights that audits, fines and charges companies and individuals for HIPAA violations).
We deploy all of the following technology internally that helped us pass our own HIPAA audit, and allows us to offer HIPAA compliant hosting solutions in our HIPAA compliant data centers (we also happen to offer and recommend these services to our clients that need to be HIPAA compliant):
- Private Firewall services (either a Virtual or Dedicated Firewall) with VPN for remote access
- Managed Cloud Server (good to ensure high availability and access to data and applications)
- Separate database and web servers for production
- Separate test server (while the same for web and database, it is not the same for production)
- Offsite backup at a minimum, although disaster recovery is better
- SSL certificates and HTTPS for all web-based access to PHI (to ensure secure connections)
- Set up private IP addresses
- Encryption – best practice to do while it is stored in the database and especially in transport. PHI should be encrypted to the NIST standard, Advanced Encryption Standard (AES).
HIPAA compliance is about more than just deploying the right technology; it’s also about your own policies and procedures. What are some best practices for your company to do to meet HIPAA compliance?
- Documentation – write out data management, security, employee training and notification plans.
- Implement a password policy.
- Don’t use public FTP (File Transfer Protocol) to move your files.
- Only use VPN access for remote access.
- Implement login retry protection in your application.
- Document a tested and detailed disaster recovery plan to recover data in the event of a disaster.