Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Similar documents
HIPAA/HITECH Compliance Using VMware vcloud Air

efolder White Paper: HIPAA Compliance

Healthcare Compliance Solutions

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA Compliance Guide

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

HIPAA Compliance Guide

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Healthcare Compliance Solutions

Double-Take in a HIPAA Regulated Health Care Industry

Security Considerations

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Isaac Willett April 5, 2011

Feisal Nanji. Techumen LLC,

HIPAA Privacy & Security White Paper

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

HIPAA Compliance and the Protection of Patient Health Information

COMPLIANCE ALERT 10-12

TACKLING THE ENCRYPTION CONUNDRUM

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

Regulatory Update with a Touch of HIPAA

Datto Compliance 101 1

Data Breach, Electronic Health Records and Healthcare Reform

HIPAA BUSINESS ASSOCIATE AGREEMENT

This form may not be modified without prior approval from the Department of Justice.

Preparing for the HIPAA Security Rule

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

The Impact of HIPAA and HITECH

CallRail Healthcare Marketing. HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software

M E M O R A N D U M. Definitions

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

CHIS, Inc. Privacy General Guidelines

NET ACCESS HIPAA COMPLIANT FLEXCloud

C.T. Hellmuth & Associates, Inc.

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Use & Disclosure of Protected Health Information by Business Associates

HIPAA Compliance: Are you prepared for the new regulatory changes?

Table of Contents INTRODUCTION AND PURPOSE 1

HIPAA PRIVACY AND SECURITY AWARENESS

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA COMPLIANCE AND

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

HIPAA/HITECH Act Implementation Guidance for Microsoft Office 365 and Microsoft Dynamics CRM Online

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

How To Write A Health Care Security Rule For A University

HIPAA and Cloud IT: What You Need to Know

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FACT SHEET: Ransomware and HIPAA

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

CONTENT OUTLINE. Background... 3 Cloud Security Instance Isolation: SecureGRC Application Security... 5

Health Partners HIPAA Business Associate Agreement

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

FAQ: HIPAA AND CLOUD COMPUTING (v1.0)

- Procedures for Administrative Access

HIPAA Privacy and Security Requirements

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

HIPAA BUSINESS ASSOCIATE AGREEMENT

ACHIEVING HIPAA COMPLIANCE WITH POSTGRES PLUS CLOUD DATABASE

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

VMware vcloud Air HIPAA Matrix

Cloud Computing and HIPAA Privacy and Security

Healthcare Security and HIPAA Compliance with A10

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

HIPAA/HITECH: A Guide for IT Service Providers

Model Business Associate Agreement

HIPAA-compliant Cloud Faxing

Can Your Diocese Afford to Fail a HIPAA Audit?

Complying with PCI Data Security

White Paper. BD Assurity Linc Software Security. Overview

DRAFT Standard Statement Encryption

HIPAA Business Associate Agreement

SCADA SYSTEMS AND SECURITY WHITEPAPER

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Transcription:

ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Table of Contents Introduction... 2 Encryption and Protection of PHI... 3 Dedicated Server Solutions... 3 Dedicated Private Cloud Solutions... 4 Auditing, Back-Ups, and Disaster Recovery... 4 Notice... 5 1 P a g e

Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to covered entities and business associates. Covered entities include health care providers engaged in certain electronic transactions, health plans, and health care clearinghouses. Business associates are entities that provide services to a covered entity that involve access by the business associate to Protected Health Information (PHI), as well as entities that create, receive, maintain, or transmit PHI on behalf of another business associate. HIPAA was expanded in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For additional information on HIPAA and HITECH, visit http://www.hhs.gov/ocr/privacy/. Covered entities and their business associates can use the secure, scalable, low-cost IT components provided by Advanced Internet Technologies, Inc. (AIT) to architect applications in alignment with HIPAA and HITECH compliance requirements. AIT offers an infrastructure platform with industryrecognized certifications, and over 20 years of experience in the IT services industry. AIT s services and data center have multiple layers of operational and physical security to help ensure the integrity and safety of customer data. AIT enables covered entities and their business associates subject to HIPAA to securely process, store, and transmit PHI. Additionally, AIT, as of November 2015, offers a standardized Business Associate Addendum (BAA) for such customers. Customers who execute an AIT BAA may use the services designated as HIPAA compliant. Services that are HIPPA compliant as of the publishing of this whitepaper include Dedicated Server and Dedicated Private Cloud solutions that contain at minimum a single firewall, and private switch. AIT maintains a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the administrative, technical, and physical safeguards required under HIPAA. Using these services to store, process, and transmit PHI allows our customers and AIT to address the HIPAA requirements applicable to AIT s designated services. 2 P a g e

Encryption and Protection of PHI The HIPAA Security Rule includes addressable implementation specifications for the encryption of PHI in transmission ( in-transit ) and in storage ( at-rest ). Although this is an addressable implementation specification in HIPAA, AIT requires customers to encrypt PHI stored in or transmitted using HIPAA-eligible services in accordance with guidance from the Secretary of Health and Human Services (HHS), Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Please refer to this site because it may be updated, and may be made available on a successor (or related site) designated by HHS. Dedicated Server Solutions Network traffic containing PHI must encrypt data in transit. For traffic between external sources (such as the Internet or a traditional IT environment) and dedicated server solutions from AIT, customers should use industrystandard transport encryption mechanisms such as TLS or IPsec virtual private networks (VPNs), consistent with the Guidance from HHS. Internal to AIT s network, network traffic containing PHI must also be encrypted; most applications support TLS or other protocols providing in-transit encryption that can be configured to be consistent with the Guidance. For applications and protocols that do not support encryption, sessions transmitting PHI can be sent through encrypted tunnels using IPsec or similar implementations between instances. AIT Dedicated Server instances that customers use to process, store, or transmit PHI are run on Dedicated Servers, which are servers that run on hardware dedicated to a single customer. Dedicated Servers are physically isolated at the host hardware level from other AIT customers and share no resources, data storage locations, etc. For more information on Dedicated Servers, see https://www.ait.com/dedicated/ 3 P a g e

Dedicated Private Cloud Solutions Similar to Dedicated Servers, Dedicated Private Cloud solutions operate on independent hardware that is designated for a single customer only. The same rules regarding security for data at rest or data in transit apply. Customers should use industry-standard transport encryption mechanisms such as TLS or IPsec virtual private networks (VPNs), consistent with the Guidance from HHS. The same encryption algorithms used on Dedicated Servers can be applied on a Dedicated Private Cloud. For more on Dedicated Private Cloud, visit https://www.ait.com/dedicated-private-cloud Auditing, Back-Ups, and Disaster Recovery HIPAA s Security Rule also requires in-depth auditing capabilities, data back-up procedures, and disaster recovery mechanisms. During the initial sales inquiries, AIT will review some options for additional services that will help customers address these requirements. In designing an information system that is consistent with HIPAA and HITECH requirements, customers should put auditing capabilities in place to allow security analysts to examine detailed activity logs or reports to see who had access, IP address entry, what data was accessed, etc. This data should be tracked, logged, and stored in a central location for extended periods of time, in case of an audit. In AIT s Dedicated Private Cloud environment, customers can run activity log files and audits down to the packet layer on their virtual servers. The same would happen for any Dedicated Server provided by AIT as well. A customer s administrators can back up the log files onto other disks, or separate servers for archive purposes. Under HIPAA, covered entities must have a contingency plan to protect data in case of an emergency and must create and maintain retrievable exact copies of electronic PHI. To implement a data back-up plan with AIT s services, you ll first need to have an archiving volume or repository. This repository can be located inside of AIT s facility or be off-site, depending on your needs. These volumes can be exposed as standard block devices, and they offer off-server storage that persists independently from the life of a server or virtual server. To align with HIPAA guidelines, customers can create point-in-time snapshots of virtual machines inside of a Dedicated Private Cloud on volumes that automatically are stored on other servers. Disaster recovery, the process of protecting an organization s data and IT infrastructure in times of disaster, is typically one of the more expensive HIPAA requirements to comply with. This involves maintaining highly available systems, keeping both the data and system replicated off-site, and enabling continuous access to both. AIT inherently offers a variety of disaster recovery mechanisms. Ask your AIT sales representative about the options available to you. 4 P a g e

Notice This document is provided for informational purposes only. It represents AIT s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AIT s products or services, each of which is provided as is without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances from AIT, its affiliates, suppliers or licensors. The responsibilities and liabilities of AIT to its customers are controlled by AIT agreements, and this document is not part of, nor does it modify, any agreement between AIT and its customers. 5 P a g e

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information