HIPAA/HITECH Compliance Using VMware vcloud Air



Similar documents
VMware vcloud Air HIPAA Matrix

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

VMware vcloud Air Security TECHNICAL WHITE PAPER

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HIPAA BUSINESS ASSOCIATE AGREEMENT

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

VMware AlwaysOn Point of Care Desktop. with Indigo Identityware software for Fast Access & Strong Authentication with Roaming Desktops

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

The Impact of HIPAA and HITECH

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

CHIS, Inc. Privacy General Guidelines

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Healthcare Compliance Solutions

What s New in VMware Data Recovery 2.0 TECHNICAL MARKETING DOCUMENTATION

TIBCO Nimbus Cloud Service

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA Compliance Guide

HIPAA BUSINESS ASSOCIATE AGREEMENT

Upgrading Horizon Workspace

Datto Compliance 101 1

Cyber, Security and Privacy Questionnaire

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

VMware Hybrid Cloud. Accelerate Your Time to Value

Configuring Single Sign-on from the VMware Identity Manager Service to Amazon Web Services

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

VMware Horizon Mobile Secure Workplace User Installed Applications Support with Liquidware Labs HOW-TO GUIDE

A to Z Information Services stands out from the competition with CA Recovery Management solutions

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Altius IT Policy Collection Compliance and Standards Matrix

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Using NetIQ Security and Administration Products to Ensure HIPAA Compliance March 25, Contents

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA/HITECH Act Implementation Guidance for Microsoft Office 365 and Microsoft Dynamics CRM Online

My Docs Online HIPAA Compliance

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

SECURITY RISK ASSESSMENT SUMMARY

VMware vcloud Powered Services

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Public Cloud Service Definition

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

COMPLIANCE ALERT 10-12

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Top Ten Technology Risks Facing Colleges and Universities

VMware Cloud Automation Design and Deploy IaaS Service

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

VMware vsphere Data Protection

HIPAA Information Security Overview

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

HIPAA and Mental Health Privacy:

efolder White Paper: HIPAA Compliance

VMware vcloud Air. Enterprise IT Hybrid Data Center TECHNICAL MARKETING DOCUMENTATION

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

ALERT LOGIC FOR HIPAA COMPLIANCE

Managing the Business of IT in the Cloud Era. VMware vrealize Business

Sustainable Compliance: A System for Ongoing Audit Readiness

Helping Customers Move Workloads into the Cloud. A Guide for Providers of vcloud Powered Services

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

A Guide to Disaster Recovery in the Cloud. Simple, Affordable Protection for Your Applications and Data

Supplier IT Security Guide

HIPAA Security Rule Compliance

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

SECURITY IN THE HYBRID CLOUD:

HIPAA Compliance Guide

BUSINESS ASSOCIATE AGREEMENT. Recitals

ThinPrint GPO Configuration for Location-Based Printing

Mobile Secure Desktop Maximum Scalability, Security and Availability for View with F5 Networks HOW-TO GUIDE

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

Transcription:

Last Updated: September 23, 2014 White paper

Introduction This paper is intended for security, privacy, and compliance officers whose organizations must comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, and others responsible for maintaining compliance with those Acts. HIPAA and HITECH establish rules covering healthcare organizations and their business associates to assure the privacy and security of Protected Health Information (PHI), including PHI contained in Electronic Medical Records (EMR). When such an organization entrusts PHI to a business associate for processing or storage, for example in a Cloud Service, responsibility for compliance with HIPAA and HITECH rules may fall to the organization or its associate, or it may become a joint responsibility of the organization and its associate. The paper: Outlines individual and joint responsibilities of VMware clients who must comply with HIPAA and HITECH rules, and VMware as their business associate, when PHI is transmitted to, stored in, processed by, and retrieved from VMware vcloud Air. Introduces the VMware Business Associate Agreement documenting VMware s commitment to use appropriate privacy and security safeguards against unauthorized use or disclosure of PHI, and to respond appropriately to data breaches. Responsibilities for Protected Health Information in the Cloud Healthcare providers, insurers, and other organizations comply with HIPAA and HITECH rules by instituting, documenting, and auditing processes to assure the privacy and security of patients Protected Health Information. Technologies like Cloud computing can t themselves be HIPAA-compliant or noncompliant, but technology providers practices become part of the compliance discussion when they affect PHI privacy and security. VMware has developed an information security management program for its vcloud Air, incorporating essential elements of HIPAA and HITECH. But healthcare and insurance clients must understand the limits of VMware s or any Cloud Service Provider s control over the components and processes of cloud computing. Understanding these limits will help VMware and its clients define their roles and responsibilities logically, so that they can meet their individual and joint privacy and security obligations without duplication or gaps. Individual Responsibilities and Limits to Control Organizations are responsible only for processes they control. For instance, VMware maintains the infrastructure that stores information sent or created by vcloud Air tenants as virtual machines, virtual disks, etc., on vcloud infrastructure. VMware maintains and controls the data centers, physical infrastructure, and management systems that make up this infrastructure, and is therefore responsible for elements associated with the infrastructure, including for example: Administrative safeguards policies and procedures governing access controls, incident response, backup and recovery, etc. Physical safeguards infrastructure, policies, logs, records, and procedures to control physical access to PHI and guide its secure disposal. Technical safeguards access controls for electronic communications containing PHI, including encryption and network security associated with the infrastructure, but not tenant systems or data. VMware also controls, and is responsible for, the processes by which it notifies Service tenants following discovery of a breach of unsecured PHI. white paper / 2

But VMware cannot control the way the information is represented, stored, or protected by vcloud Air tenants within their virtual machines, disks, etc., running or stored on the Service or traveling across networks over which tenants have administrative control. For example, VMware cannot determine or maintain the integrity of: Client operating systems or applications they contain (security, intrusion prevention, patch management, etc.). Client and public networks over which information travels to, from, or within a tenant s vcloud Air subscription. Policies by which its clients information from being read by third parties (encryption), grant access to PHI (authorization), make sure only authorized individuals access it (authentication), protect it from being read by third parties (encryption), and so on. Clients are individually responsible for assuring compliance of these and other processes under their control. Figure 1. This Responsibility Stack, illustrates the limits of control and areas of individual responsibility for VMware and tenants of its vcloud Air. white paper / 3

Joint Responsibilities Not every HIPAA/HITECH requirement is the exclusive responsibility of one party or another. VMware vcloud Air offers many services that, when adopted and properly applied by a Service tenant, can help them maintain HIPAAand HITECH-compliance of their processes. In these cases, VMware is responsible to meet its contractual obligations to Service tenants, and tenants are responsible to adopt and use the services as needed to meet their obligations. These are some examples of joint responsibilities: Access Controls VMware provides a means to deny unauthorized persons access to vcloud Air; tenants manage user accounts to keep authorizations up to date, delete accounts when users leave the organization, etc. Firewall VMware logically segregates the virtual systems of vcloud Air tenants and provides technologies to secure communications among tenant s virtual machines and data centers. Tenants document, implement, and test their instances of these technologies to assure the security of PHI in their care. Disaster Recovery VMware documents, implements, and regularly tests business continuity and disaster recovery plans; tenants document and implement their own such plans and assure that PHI in their care is recoverable. Overall, organizations required to comply with HIPAA and HITECH rules are responsible to adopt and use VMware vcloud Air in a manner that achieves and maintains that compliance. VMware Business Associate Agreement VMware is committed to serving the healthcare market with a broad range of reliable, high-performance Cloud Computing services. To help VMware vcloud Air clients document their compliance with HIPAA and HITECH rules, we provide a Business Associate Agreement that documents VMware s contractual obligation to use appropriate safeguards to: Prevent unauthorized access, use, or disclosure of Protected Health Information Respond to data breaches quickly and appropriately Current or potential clients interested in reviewing the Business Associate Agreement should contact their VMware representative for full details. Disclaimer This paper is not intended as legal advice. Clients should consult qualified legal and compliance advisers when making decisions about HIPAA/HITECH compliance and the use of VMware vcloud Air. VMware neither expresses nor implies any warranty about the accuracy or fitness for any purpose of the information in this document. white paper / 4

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-TWP-HIPAA-HITECH-COMPLIANCE-USING-VCLOUD-AIR-USLET-101 09/14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information