Visit for more information. Copyright Online Tech All Rights Reserved. page 1 of 36

Transcription

1 Copyright Online Tech All Rights Reserved. page 1 of 36

2 HIPAA Compliant Data Centers 1.0. Executive Summary Impact of HITECH and HIPAA on Data Centers What is a HIPAA Compliant Data Center? Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Business Associate Agreements HIPAA Compliant Data Center Architecture Requirements Enhanced Security Outsource vs. In-House Hosting Benefits of Outsourcing Hosting Risks of Outsourcing Vendor Selection Criteria HIPAA Compliant Business Associates Other Key Data Center Considerations Conclusion References Questions to Ask Your HIPAA Hosting Provider Example BAA Data Center Standards Cheat Sheet...35 Copyright Online Tech All Rights Reserved. page 2 of 36

3 1.0. Executive Summary The increasing pressure to implement meaningful use, reduce healthcare costs, and improve care outcomes while still protecting patient interests has led to strategic review and overhaul by many healthcare providers and vendors. Evaluating outsourcing options to allow industry experts to manage parts of the healthcare IT components is an obvious part of the equation, and the intensive capital expense, human resource, security, and maintenance demands specific to data centers make these prime candidates for cost savings. However, balancing the resource benefits of outsourcing data center and hosting services with the risks of engaging an off-premise business associate is daunting in the wake of increasing PHI (protected health information) breaches and penalties. Ultimately, finding the best blend of resources that can fulfill the availability, integrity, and confidentiality requirements to protect ephi (electronic protected health information) - and thereby protecting the patients, covered entities, and business associates - is the challenge at hand. This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria Impact of HITECH and HIPAA on Data Centers Protecting the confidentiality, integrity, and availability of electronic protected health information (ephi) is the essence of the HIPAA Security Rule 1. Since data centers typically store, transmit, or process ephi, they must comply with the HITECH standards and citations to meet HIPAA compliance. The same risk analysis, administrative safeguards, physical safeguards, technical safeguards, and ongoing due diligence apply just as much in the data center as in a provider s facility. While there is some debate about the responsibilities of business associates for the protection of ephi, all indications point towards business associates being held as responsible as covered entities. Consider the latest notice of proposed rulemaking that speaks to the extension of responsibilities from covered entities to business associates: As with the Privacy Rule, the Security Rule requires covered entities to have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic 1 U.S. Dept. of Health and Human Services, HIPAA Security Series: Basics of Risk Analysis and Risk Management; Copyright Online Tech All Rights Reserved. page 3 of 36

4 protected health information they receive, create, maintain, or transmit on behalf of the covered entities. 2 Moreover, both covered entities and business associates should bear in mind that prosecution by the Office of Civil Rights (OCR) under HITECH is not the only legal concern. The last year has witnessed an increase in state and consumer lawsuits against both covered entities and business associates. In January 2012, Minnesota Attorney General filed a lawsuit against Accretive Health, for failing to protect the confidentiality of over 23,000 patient healthcare records. 3 The safest and most diligent practice to protect ephi is to ensure that the same policies, risk management, safeguards, and ongoing compliance governance standards are followed no matter where ephi resides. This means that data centers, whether in-house or outsourced, need to fully embrace complete responsibility for ephi. In the areas of administrative safeguards, such as ongoing HIPAA awareness and training for all employees, healthcare providers tend to be stronger. In the areas of technical safeguards and PHI availability, 2 U.S. Dept. of Health and Human Services, Federal Register Part II; 3 Minnesota Attorney General, Attorney General Swanson Sues Accretive Health for Patient Privacy Violations; Copyright Online Tech All Rights Reserved. page 4 of 36

5 professional data center companies that invest extensively in redundant facility infrastructure and security may be the safer bet. Ideally, either a healthcare provider would have infinite resources to build and maintain multiple, high-availability data centers or a data center hosting business associate would have a thorough understanding of HIPAA compliance including a HIPAA security risk analysis and management, policies, training of all employees, and ongoing HIPAA compliance audits. While both ideals exist, they are in the minority. In these cases, the weighing of the pros and cons falls back to the risk analysis and management to choose the best option that will maintain ephi confidentiality, integrity, and availability What is a HIPAA Compliant Data Center? Data centers need to adhere to the administrative, physical, and technical safeguards and standards set forth by the HITECH act to be HIPAA compliant. Following is a brief review of the administrative, physical, and technical safeguards with specific notes applicable to data centers Administrative Safeguards The Security Management Process described under (a)(1) includes requirements for HIPAA Risk Analysis and Risk Management, which form the foundation upon which an entity s necessary security activities are built. (68 Fed. Reg ) 4 Start by reviewing the data center s HIPAA Report on Compliance, sometimes referred to as an HROC. Providers who maintain their own data centers are likely to have this included in their risk analysis and management plan already. This can serve as a useful point of comparison across the various HIPAA standards, citations, and implementation specifications when outsourcing to a third-party data center business associates. Data center providers who have invested in an independent HIPAA risk assessment should provide a copy of their HIPAA compliance report upon request, at least under NDA. When a data center business associate can provide a HIPAA compliance report, it will save covered entities (CEs) significant costs of evaluating HIPAA compliance, which should happen in advance of entering into a partnership. If a CE elects to outsource data center hosting services to a business associate that does not have, or does not provide, an independent HIPAA report on compliance available, the CEs will have to bear the burden of evaluating compliance and proving due diligence. Other Administrative Safeguards that should be in place in all data centers that store, transmit, or process ephi include: 4 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Basics of Risk Analysis and Risk Management; Copyright Online Tech All Rights Reserved. page 5 of 36

6 Assigned Security Responsibility (a)(2) Workforce Security (a)(3) Information Access Management (a)(4) Security Awareness and Training (a)(5) Security Incident Procedures (a)(6) Contingency Plan (a)(7) Evaluation (a)(8) Business Associate Contracts and Other Arrangements (b)(1) 3.2. Physical Safeguards 5 STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS Facility Access Controls Workstation Use Workstation Security Device and Media Controls (a)(1) Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records (b) (c) (d)(1) Disposal Media Re-use Accountability Data Backup and Storage Nothing beats an on-site visit to ascertain the level of security. Think of it this way: this data center might hold the data of hundreds, or thousands, of your patients. You want to feel the same sense of solid trust and ease from your visit - the same way you want your patients to feel towards their own care providers. As an extension of a covered entity, the business associate should foster a sense of expertise, careful procedure, and a willingness to communicate openly about questions and policies. Imagine the first night of sleep after moving your PHI to this place - will you sleep soundly, or lie awake in dread? Things to check for include the following: Two-factor authentication - If not personally escorted, anyone in the data center should be wearing a badge to identify them and need at least 2 forms of identification for access such as badge and access code, or biometric fingerprint scanner and badge. If 5 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Physical Safeguards; Copyright Online Tech All Rights Reserved. page 6 of 36

7 you go for a data center visit and are not asked to sign-in and wear a badge, security should be considered less than adequate. Prolific use of video surveillance - Ask to see the video logs and how long they are kept (should be at least 90 days). Visitor logging - The entries in the logbook should directly match the video surveillance tapes. Ask when the last independent auditor confirmed the match of visitor logs with the video archives. Ask who the auditor was and investigate the auditor s company to confirm their credibility. Procedure Documentation - Ask to review the documentation for the procedure to allow access by unannounced visit, phone call, or . Don t just ask the security or compliance officer - ask anyone. If there is a consistent policy and procedure in place, you should get a consistent and reassuring answer Technical Safeguards 6 STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS Access Control (a)(1) Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit Controls (b) Integrity (c)(1) Mechanism to Authenticate Electronic Protected Health Information Person or Entity Authentication (d) Transmission Security (e)(1) Integrity Controls Encryption The HIPAA Security Rule does not require specific technology solutions, but it does outline the standards and implementation specifications. The Rule s intent is to allow covered entities the flexibility to determine which security measures are a good fit for their company, depending on size and different needs. 6 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Technical Safeguards; Copyright Online Tech All Rights Reserved. page 7 of 36

8 The HHS provides guidance around the implementation specifications below: Unique User Identification Assign a unique user ID to each employee that can allow your company to track user activity while the user is logged into an information system. Emergency Access Procedure Establish a written procedure outlining the protocol to access ephi in the event of an emergency, including policies around who needs access and possible ways to gain access. Automatic Logoff Automatic logoff should be implemented on every workstation with access to ephi after a certain period of inactivity. Encryption and Decryption This is not required, but instead recommended as a safeguard to be implemented only if deemed reasonable and appropriate for the covered entity. Determine which ephi or software programs are appropriate for encryption. Audit Controls This refers to implementing a system that logs and monitors activity on information systems with ephi. Authentication Intended to protect the integrity of ephi, the existing systems should have functions or a process to check for data integrity, such as digital signatures. When it comes to person or entity authentication, proof of identity should include a password or pin, smart card, token, key and/or biometrics (fingerprints, facial patterns or voice patterns). Transmission Security For integrity controls, the primary method to protect ephi is through the use of network communications protocols, although other methods include data or message authentication codes. Encryption is another option to consider after reviewing your company s methods of transmission, frequency of transmission, and potential issues found in your risk analysis Organizational Requirements 7 STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS Business associate contracts or other arrangements Requirements for Group Health Plans (a)(1) Business Associate Contracts Other Arrangements (b)(1) Implementation Specifications Policies and Procedures Documentation (Time Limit, Availability and Updates) 7 U.S. Dept.of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and Procedures and Documentation Requirements; Copyright Online Tech All Rights Reserved. page 8 of 36

9 The Organizational Requirements found in the HIPAA Security Rule concern contracts and agreements with business associates (BAs) and the policies, procedures and documentation guidelines for group health plans. Business Associate Contracts (or Agreements, BAA) This ensures business associates will implement the HIPAA safeguards to protect ephi they receive or maintain on behalf of the covered entity. It also ensures that any subcontractors they work with will also follow the safeguards. The agreement requires BAs to report all security incidents and allow contract termination if any violations occur (read more about BAAs below). Other Arrangements This is allowed only if the both the business associate and covered entity are government entities, and they enter into a memorandum of understanding (MOU) that addresses all of the objectives of a BAA. Group Health Plans The implementation specifications are the same as those required for BAAs (above). Required policies, procedures and documentation must be retained for a period of at least six years, be available via print or Intranet, and reviewed and updated based on environmental or operational changes that affect ephi security Business Associate Agreements Not only does an effective business associate agreement need to be in place between covered entities and their business associates; the contractors and vendors of the business associate must also share and sign business associate agreements if there is any potential of access to PHI data. 8 The business associate agreement (BAA) is the ideal place to clarify the roles and responsibilities between the covered entity and the business associate. For example, the OCR requires the following documentation in the event of a PHI breach: Documentation Documentation of the covered entity s admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations. Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft. Documentation of the covered entity s corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable: 8 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and Procedures and Documentation Requirements; Copyright Online Tech All Rights Reserved. page 9 of 36

10 o Sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity s current policies and procedures, and as required by the Privacy Rule. Re-training of appropriate workforce members. Mitigation of the harm alleged, as required by the Privacy Rule. HIPAA Policies and Procedures A copy of HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI. A copy of the policies and procedures implemented to safeguard the CE s facility and equipment. Physical Safeguards Evidence of physical safeguards implemented for computing devices to restrict PHI access. Business associate agreements and/or policies and procedures implemented to ensure Business associates have implemented the appropriate safeguards (if applicable). Risk Assessment A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements. Evidence of security awareness training for involved workforce members including training on workstation security. Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations. Breach Notification A copy of the written notification of the breach provided to the affected individuals. A copy of the written notification given to the media. This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification. Much of the required documentation requires months of planning and implementation. If you sign a BAA today, and have a PHI breach tomorrow, are you confident that your data center can provide the necessary information to respond in a thorough and timely manner to the OCR? Copyright Online Tech All Rights Reserved. page 10 of 36

11 3.5. HIPAA Compliant Data Center Architecture The diagram below shows elements of a HIPAA compliant hosting architecture. To create this, we worked with Certified HIPAA Security Specialists and Certified HIPAA Professionals who matched each HITECH standard, specification, and implementation with a common technology application to meet Security Rule compliance. Each element is described in the following pages. Copyright Online Tech All Rights Reserved. page 11 of 36

12 Requirements Antivirus The Security Awareness and Training Standard of the HIPAA Security Rule (Section (a)(5)) 9 specifically calls out the need for Protection from Malicious Software. We all use antivirus on our laptops, so using this on a server operates under the same premise: safety and security for critical infrastructure. This is one of the most important elements of security you can buy for the money for a managed server. OS Patch Management Routine OS patch management is required in today s IT climate. And yes, there are many older servers, older applications, and just plain old implementations out there that IT administrators are scared to touch. These are, for example, the MS-SQL 2000 implementations that are connected to disparate systems, ERP systems, and other legacy applications that IT managers feel might break if patched. These are often unpatched due to lack of funding for application redesign, and sheer terror on the part of some IT managers to implement change for the security and good of the company. With all the security bulletins, holes, bugs, zero-day exploits, viruses, and other security vulnerabilities announced daily for operating systems, applications, and databases, a solid process is needed to design a patch process that safeguards all systems. This includes choosing one or more patch process tools, processes, and procedures, and then setting up a unified test, staging, and production environment to test the patches. Backup and Disaster Recovery The HIPAA Contingency Plan standard described in section (a)(7) 10 requires a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis. Part of proving due diligence is holding CEs and BAs responsible for ensuring PHI is not destroyed or lost in the event of a disaster. Offsite data backups are imperative and offsite disaster recovery is strongly recommended. Patient care is not a 9-5 job; a primary driver behind electronic health records is the portability and availability of patients records to health care providers around-the-clock. Availability means that PHI is always available, accessible and never lost. When a patient arrives in the emergency room at two o clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient s records at his fingertips. 9 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Administrative Safeguards; 10 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and Procedures and Documentation Requirements; Copyright Online Tech All Rights Reserved. page 12 of 36

13 Protecting healthcare data, and ensuring its availability means putting procedures in place to mitigate disasters, and having a solid plan in-hand to activate when a disaster occurs. The infrastructure to do this is defined by two perspectives: 1. Disaster Prevention - Putting all the tools in place to minimize the probability of an outage in the data center infrastructure, server hardware, software and network connectivity. 2. Disaster Recovery - Assuring that the applications and data can be recovered and restored in a reasonable timeframe to continue running the business and making patient data available if a disaster occurs in the primary data center. High Availability, Redundant Firewalls Firewalls can help meet both administrative safeguard requirements to protect PHI from malicious software ( (a) (5)) and the technical safeguard requirements to tightly control access to PHI ( (a) (1)). The data center should be protected by redundant, or high availability, firewalls so that if one fails due to a hardware, software, or power issue, a second firewall can still stand between PHI and a malicious attack. Intrusion detection and intrusion prevention capabilities should also supplement firewall protection, and are often a feature of many modern firewall and universal threat management appliances. Plan or evaluate with the knowledge that it s not a matter of if a firewall fails, it s when a firewall fails. Look for every single point of failure in the data center and plan high-availability redundancies anywhere they exist. For example, the firewalls should be plugged into separate power strips that are connected to separate power feeds in the data center. If the redundant firewalls are plugged into a single power strip that blows a breaker fuse, all redundancy is lost. High Availability, Redundant Routers Routers are responsible for passing data to and from the data center from the Internet. In order to ensure that PHI is always available, the data center should use redundant routers to ensure that data traffic can still continue when one router experiences a hardware, software or power failure. Routers should be powered by separate power strips connected to separate power feeds for true redundancy. High Availability, Redundant Internet Service Providers If the data center relies on a single Internet Service Provider (ISP), PHI availability will be at risk. Ask if the data center that will be protecting your PHI has separate ISPs that connect via different sides of the data center. Ask if the redundant service providers connect all the way to the data center directly through the same or disparate last-mile connections different last-mile fiber connections will provide enhanced redundancy. HIPAA Trained Staff and Documented Policies The most secure technologies are rendered useless without a culture of processes that ensures that secure policies and procedures are documented and consistently followed. Review of Copyright Online Tech All Rights Reserved. page 13 of 36

14 independent audit reports should reflect a foundation of secure policies that guide day-to-day operations. HIPAA compliance also requires that all staff receive HIPAA security training and ongoing security updates. Ask potential vendors if all members of their staff have received HIPAA security training, where HIPAA compliance documents and policies are kept (every employee should know), and the date of the last training and security update. A company with a culture of security and compliance will have answers readily at hand Enhanced Security The following section describes additional enhanced security measures a CE can put in place to further hedge against the risk of a PHI breach. While these enhanced protections come at an additional cost to the IT budget, the cost of cleaning-up the aftermath of a breach are far greater to the business. Two-Factor Authentication One of the weakest links in protecting PHI is the use of simple passwords. While it may seem like common sense that passwords based on a spouse s name, anniversary, or simple patterns like abc123 or are not sufficient to protect PHI, ensure there is a policy of using complex passwords of at least 8 characters that combines lower case letters, upper case letters, numbers, and special symbols. A policy of changing passwords regularly (every 90 days) is a good start. To protect against weak or stolen passwords, implement two-factor authentication. This requires multiple forms of identification for a login such as a code and a username/password combination. Biometric login systems may require a fingerprint along with a code or keycard. For the cloud and web-based applications, two-factor authentication systems require a username, password, and a code that is sent to a mobile device by phone call or text message. Ask your cloud provider if they provide dual-factor authentication services for VPN s and webbased logins or contract with a service such as Duo 11 to improve PHI protection. SSL Certificate (Web Apps) To secure PHI data in a web-based application, an SSL (Secure Socket Layer) certificate is a must. The SSL certificate is used by software that encrypts all data moving between two or more end-points (i.e. from a browser, to a server containing the application or website). Since many healthcare applications are now hosted in the cloud and accessed by browsers (Internet Explorer, Chrome, Firefox), the SSL certificate is essential to proper security. File Integrity Monitoring (FIM) File integrity monitoring refers to ensuring the integrity of the files on a server. The basic technique is the comparison of the current file to the known, safe baseline. While file changes are expected and within the normal realm of daily interaction and activity, there are a few key 11 Duo Security; Copyright Online Tech All Rights Reserved. page 14 of 36

15 changes that may trigger additional investigation such as a change of ownership, security settings, or configuration values. When the enhanced security of FIM makes sense, a separate server is often set up to perform this function using one of many third party software applications to monitor and evaluate file changes and alert administrators of any suspicious activity. Web Application Firewall (WAF) A web application firewall is specifically built to monitor website traffic for the transmission of sensitive data and potentially block any network traffic that does not fit within the allowable configuration. For PHI applications that involve a website where security is paramount, use of a WAF may make sense. It is a powerful tool in the security toolbox for consideration, and can prevent leakage of PHI data by unauthorized users. Encryption Encryption for data at rest and in transit is very strongly recommended. When transmitting PHI, encrypted data should be sent over an encrypted connection for ultimate security. When using encryption for PHI, one should follow the NIST (National Institute of Standards and Technology) Special Publication , Guide to Storage Encryption Technologies for End User Devices standards for encryption. 12 Data at rest constitutes data stored on servers or backup systems (tape or disk) while not in use. This data needs to be encrypted in case of disk theft or unauthorized access. Many data breaches are due to lost or stolen unencrypted portable devices (laptops or smartphones) - PHI should not be stored on portable devices, but instead in HIPAA compliant data centers that serve the data to mobile devices. That way, thousands of patient records aren t stored on any of your computing devices, but instead in a secure location that can be accessed through a mobile device. This greatly improves your PHI security - if you lose the device, you won t lose all of the sensitive data as well. Additionally, the HIPAA breach notification rule only requires reporting of unencrypted data breaches in cases where 500 individuals are affected. If your data is encrypted and you experience loss or theft of data, you are not required to notify the HHS, the media or any affected individuals NIST, Special Publication Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; 13 U.S. Department of Health and Human Services, Guidance to Render Unsecured Protected Health Information Unreadable, or Indecipherable to Unauthorized Individuals; Copyright Online Tech All Rights Reserved. page 15 of 36

16 4.0. Outsource vs. In-House Hosting 4.1. Benefits of Outsourcing Hosting Save on Costs Why would a covered entity with sensitive data outsource their hosting solution to a third-party? A HIPAA compliant hosting provider that has already passed an independent HIPAA audit can save time and money by eliminating the need to audit your vendor in addition to your own business. While it does not release you of the obligation and responsibility of meeting compliance, it helps you more readily achieve compliance and mitigate risk. Additionally, managed hosting allows your IT team to focus on the applications directly related to your business, not on the day-to-day details involved with server updates, data center infrastructure, network management and security which can more readily be outsourced to a trusted provider. Security A HIPAA compliant hosting provider can provide the latest tested and audited technology to help achieve compliance and secure your ephi. With a variety of required and recommended security methods, you can trust experienced, certified professionals to maintain, monitor and accurately generate logs of activity on your servers. Outsourcing allows you to benefit from the various levels of security that a quality hosting provider should have in place. These advantages include physical security, environmental controls, logged access and video surveillance, and multiple alarm systems to detect unauthorized access. Network security includes protection of sensitive infrastructure, including managed servers, cloud, power and network infrastructure built with redundant routers, switches and paired universal threat management devices to protect sensitive information. While the HITECH Act requires private accessibility on request by your patients, your outsourced hosting provider should never access PHI, but instead build, maintain and monitor the secure infrastructure that your sensitive information is stored and transmitted in. Availability The use of high-availability (HA) solutions in a fully redundant and compliant data center can allow clients to increase their uptime and PHI availability. Using an HA infrastructure can reduce the risk of business downtime due to a single point of failure. Outsourcing to a HIPAA hosting provider means your business can take advantage of your data center operator s design of Copyright Online Tech All Rights Reserved. page 16 of 36

17 power connections, UPS (Uninterruptible Power Supplies) systems, generators, air conditioning and networks. Flexibility Outsourcing allows you to benefit from the latest virtualization technologies, such as fifthgeneration VMware that dominates the market for applications that require a high degree of scalability. Choosing a high-performance managed cloud allows for the ability to scale servers up and down as needed to respond to the demands of end-users with fast deployment time Risks of Outsourcing However, the risks of outsourcing HIPAA compliant hosting to a service provider can mean extending your circle of trust to include a third-party vendor. These service providers, known as business associates (BAs), open your company up to the potential risk of a PHI breach. According to HHS.gov, 62 percent of the total number of patient records breached involved a business associate, increasing the need to thoroughly vet anyone that touches your PHI. The stakes for both covered entities and business associates is getting higher, with HHS now extending responsibility to protect PHI to all business associates throughout the chain of trust. States are also exercising their rights to prosecute business associates under other provisions besides the HITECH Act. HIPAA Breach Fines and Penalties A covered entity s lack of due diligence can result in costly fines and penalties. The fines and penalties for a HIPAA violation (a data breach, whether lost or stolen) range from $100 per violation with a maximum fee of $25,000 for repeat violations to $50,000 per violation with a maximum fee of $1.5 million. 14 The fine amount varies by different classification levels dependent on violation criteria, with minimum and maximum penalties for first-time/repeat violations and annual fees: 14 Office of Civil Rights, Federal Register Vol. 74, No. 209, Rules and Regulations; Copyright Online Tech All Rights Reserved. page 17 of 36

18 HIPAA Violation Types and Penalties 15 VIOLATION TYPE MIN. PENALTY MAX. PENALTY Individual didn t know they violated HIPAA Reasonable cause and not willful neglect Willful neglect but corrected with time Willful neglect and is not corrected $100/violation; annual max of $25,000/repeat violations $1,000/violation; annual max of $100,000/repeat violations $10,000/violation; annual max of $250,000/repeat violations $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million Another category of a HIPAA violation is determined by covered entities and individuals that knowingly breached the HIPAA regulations for these, criminal penalties apply. The maximum offense is a HIPAA breach committed with intent to sell, transfer or use individually identifiable health information for personal/financial gain or malicious harm, resulting in fines of $250,000 and imprisonment for up to ten years. Ultimately, covered entities are held responsible when it comes to monetary and reputational consequences, although responsibility will extend to include business associate in recent proposed revisions to the HIPAA rules. 15 American Medical Association, HIPAA Violations and Enforcement; Copyright Online Tech All Rights Reserved. page 18 of 36

19 5.0. Vendor Selection Criteria 5.1. HIPAA Compliant Business Associates When a covered entity decides to outsource HIPAA compliant hosting to a business associate, they need to look for certain indicators of compliance to ensure due diligence in vetting their service provider. Due diligence can help a covered entity prevent a potential data breach resulting in costly fines and reputational and business damage. HIPAA Report on Compliance (HROC) As the number of reported data breaches and the cost of these data breaches to the healthcare industry rise, it becomes imperative for a covered entity to select business associates that have invested in an independent audit and can provide a copy of their audit report to ensure they are following compliant policies and procedures. Ask your HIPAA hosting provider if they can provide a copy of their independent audit report (also known as a HIPAA Report on Compliance, HROC), stating they are compliant across all 54 HIPAA citations, 136 audited components and 19 standards. HIPAA Certification vs. Compliance Beware of data center operators that claim to be HIPAA certified. There is no governing body or federally recognized HIPAA certification, for covered entities or business associates alike. The correct term and usage is HIPAA compliant, meaning their policies, procedures, technology and staff implement security controls that are aligned with the HIPAA rules. While, in some cases, certification may mean they have taken an unofficial exam and passed with knowledge of HIPAA-related material, it does not mean their facilities, staff or solutions are actually compliant with the HIPAA standards. It also does not mean using their services will make your company compliant. Other Data Center Audits While an HROC is specific to healthcare and the protection of PHI, other data center audits can give you additional guidance and insight into a vendor s ongoing compliance and level of operating standards, as well as the quality of service you can expect to receive. SAS The Statement on Auditing Standard No. 70 was originally used to measure a service provider s controls related to financial reporting and recordkeeping. Two types are recognized by the AICPA (American Institute of CPAs) - Type 1 reports on a 16 American Institute of CPAs, SAS No. 70 Transformed; onserviceorganizations.aspx Copyright Online Tech All Rights Reserved. page 19 of 36

20 company s description of their operational controls, while Type 2 includes an auditor s opinion on how effective these controls are over a specified period of time. In both cases, keep in mind that the audited company gets to specify the controls that they will be audited against. Some specify only a handful of weak controls. Others specify dozens of strong controls. Make sure you read the details of the controls. SSAE 16 - The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June A SSAE 16 audit measures the controls relevant to financial reporting. Type 1 reports on a data center s description and assertion of controls, as reported by the company. Type 2 provides a description of an auditor s test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time. No two SSAE 16 audit reports are the same as there is no standard of controls. Make sure you read the details of the controls. SOC One of the three new Service Organization Controls (SOC) reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It measures the same controls as an SSAE 16 audit. SOC This report is a very detailed account of the technical aspects as they relate to controls specifically concerning IT and data center server operators. The five controls include security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types: Type 1 reports on a data center s system and suitability of its design of controls, as reported by the company. Type 2 includes everything in Type 1, with the addition of verification of an auditor's opinion on the operating effectiveness of the controls. This is the first AICPA audit to begin standardizing controls so there is less variety between reports. However, since every audit, auditor, and company are different, it is wise to read the details of the report don t take it for granted. SOC This report includes the auditor s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report. PCI DSS 20 - The Payment Card Industry Data Security Standards was created and implemented by major credit card issuers and it applies to companies that collect, store, process and transmit cardholder data. Data center operators that host cardholder data need to have undergone a PCI audit to achieve an attestation of compliance report (the 17 American Institute of CPAs, SOC 1: Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting; 18 American Institute of CPAs, SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy; 19 American Institute of CPAs, SOC 3: Trust Services Report for Service Organizations; 20 The PCI Security Standards Council, PCI SSC Data Security Standards Overview; Copyright Online Tech All Rights Reserved. page 20 of 36