HIPAA Server Compliance: What You Need to Know

October 19, 2021

12 min read

Health Insurance Portability and accountability act

For businesses involved in storing protected health information, ensuring you choose a HIPAA-compliant hosting solution is critical. ServerMania currently has two HIPAA-compliant data centers, Montreal and New York.

Note: Nothing in this article should be considered legal advice. This article is for informational purposes only. Every business has unique HIPAA compliance requirements. We recommend contacting an attorney in your local jurisdiction for advice to your specific business needs.

HIPAA guidelines have been established to protect and secure patient health records by maintaining high standards when it comes to security, encrypting personal information, and risk management. The guidelines are designed for HIPAA-compliant hosting providers, as well as people and businesses operating in the healthcare industry.

There can be a lot of challenges to become compliant, but a HIPAA-compliant hosting company would have all of the infrastructures and safeguards in place, offering an array of managed services. Knowing your patient records will be secure with an established HIPAA-compliant hosting company, will free your time so you can move on to ensuring the HIPAA requirements for your business are met internally.

In this article, we walk you through the basics of HIPAA-compliant hosting, along with touching upon the requirements for your business, so you can start to understand your obligations under the legislation.

Note: Nothing in this article should be considered legal advice. This article is for informational purposes only. Every business has unique HIPAA compliance requirements, therefore we recommend contacting an attorney in your local jurisdiction for advice on your specific business needs and how it pertains to using HIPAA-compliant hosting services.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. Passed in 1996, this law was established to adopt national standards for electronic resources that powers healthcare technology systems, transactions and code sets, unique health identifiers, and security. These resources are typically stored on servers in data centers. The United States government acknowledged that advances in technology could erode the privacy of health information and this legislation was an attempt to ensure the required standards were met with physical and technical safeguards to keep health information private.

As technology has evolved since 1996 and the storing of electronic patient health information has become more commonplace, there have been amendments to the Act over the years such as the implementation of the HITECH Act Security Standards, an amendment meant to strengthen the physical and technical safeguards that businesses, and by default, HIPAA hosting solutions providers, were required to meet. They also added the HIPAA Security Rule as an addendum to HIPAA to account for technological advances in health care.

The Office for Civil Rights is responsible for HIPAA compliance and enforcement, while the Department of Health is responsible for HIPAA regulations. Failure to comply comes with serious fines of up to $50,000 per incident.

Table of Contents

1. Who is required to follow HIPAA? 2. What is a HIPAA compliant server? 3. What is Protected Health Information PHI? 4. How is HIPAA compliance achieved? 4.1. The 5 main components of HIPAA Planning 5. What are 3 key elements of HIPAA? 5.1. HIPAA Risk Analysis 5.2. Sanction Policy 5.3. 1) Administrative Safeguards 5.4. 2) Physical Safeguards 5.5. 3) Technical Safeguards 6. Example Safeguards 7. Useful HIPAA Resources 8. Deploy A HIPAA Server

Who is required to follow HIPAA?

Only certain businesses within the healthcare industry require HIPAA compliance. Only covered entities and business associates are required to be HIPAA compliant.

HIPAA-covered entities include health plans, clearinghouses, and certain health care providers.

Health plans include:

Health insurance companies
HMOs, or health maintenance organizations
Employer-sponsored health plans
Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs

Clearinghouses

Clearinghouses include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other healthcare organizations.

Healthcare Providers

Providers who submit HIPAA transactions, like claims, electronically are covered. These providers include, but are not limited to:

Doctors
Clinics
Psychologists
Dentists
Chiropractors
Nursing homes
Pharmacies

The Centers For Medicare and Medicaid have a helpful tool that can be used to help determine if you are a covered entity.

If a covered entity engages with business associates, then there must be business associate agreements in place. A business associates agreement identifies what exactly the business associate is doing for the covered entity and will ensure HIPAA compliance for that business associate.

If you fall under one of these categories, the onus is on you to ensure that you and your business become HIPAA compliant. Rest assured, a big part of managing that compliance is taken care of with HIPAA-compliant managed services, which you can expect as part of your HIPAA compliant hosting solutions package.

Check out our HIPAA Dedicated Servers in New York

What is a HIPAA compliant server?

HIPAA compliant hosting is on a dedicated server that adheres to the strict technical requirements outlined in the legislation to store electronic medical records safely. HIPAA compliant server requirements include complete encryption of patient data, user authentication, and other aspects which we will describe in detail below.

HIPAA compliant hosting must be in a private hosted environment. Creating HIPAA-compliant environments means that a public cloud or hybrid servers may not be used. A dedicated server or private cloud are the best options with respect to hosting providers.

What is Protected Health Information PHI?

Protected Health Information PHI (aka Electronic Protected Health Information EPHI) provides patients with an array of rights with respect to their health (or patient) data.

To achieve HIPAA-compliant hosting, it’s important to understand what data must be maintained to these high standards. Electronic patient health information can be defined as individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.

This includes:

diagnoses
treatment information
medical test results, and
prescription information

When this information can be tied to an individual, it is protected under HIPAA.

How is HIPAA compliance achieved?

HIPAA contains a series of both privacy and security rules. When the legislation was developed, and subsequently amended lawmakers ensured that the HIPAA security rules outlined exactly how compliance may be achieved. A covered entity may either follow the standard, or they must document why the standard was not followed.

A covered entity should review the security specifications completely and follow the 5 main components of the process required to become HIPAA compliant.

The 5 main components of HIPAA Planning

A HIPAA-compliant hosting provider will work with you to ensure that your records are HIPAA-compliant, using these five components:

Assess current security, risks, and gaps.
Develop an implementation plan
Implement solutions
Document decisions
Reassess periodically

Book your free consultation with a knowledgeable Server Deployment rep today.

What are 3 key elements of HIPAA?

The three key elements of HIPAA-compliant hosting security include administrative safeguards, physical safeguards, and technical safeguards. Each of these processes begins with a risk analysis.

HIPAA Risk Analysis

When reviewing all of the HIPAA-compliant security requirements and recommendations with your HIPAA-compliant hosting providers, it is critical to perform a risk analysis. This process allows your organization to determine what risks exist and how best to address them. It can be described as:

The process of identifying potential security risks, and
Determining the probability of occurrence and magnitude of risks.

Sanction Policy

Another requirement of the security policies to become HIPAA compliant is a sanction policy within the organization. An organization must “Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.” This would apply to business associates as well.

1) Administrative Safeguards

The first element of compliance with the HIPAA security rule is administrative safeguards. The Security Rules outlined administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information PHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Reviewing Activity Logs

An organization must Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Designate A Security Official

A security official in the organization must be designated who is responsible for the development and implementation of the policies and procedures required for the entity. This is similar to the requirements to designate a privacy officer, and this could be the same person in small organizations.

Workforce Security

The organization must identify which members require access to the health information PHI and restrict access to only the information required. Members of the organization who don’t need access to this data must be restricted from accessing it, and once an employee is terminated there must be procedures to revoke access promptly.

As well, there must be authorization and supervision of workforce members who access health data. For example, it should be logged when a workforce member attempts to access health data outside of their permitted scope.

Security Awareness and Training

Security awareness and training programs must be designed and implemented with all organization staff, including management. This requirement also outlines that an organization must conduct:

Security Reminders
Protection from Malicious Software
Log-in for HIPAA compliance Monitoring
Password Management

Other Administrative Safeguards

Other administrative safeguards required to maintain a HIPAA compliant server hosting include:

Security Incident Procedures
Contingency Planning
Backup Planning
Disaster Recovery Planning
Emergency Mode Operation Planning
Testing and Revision Procedures
Applications and Data Criticality Analysis
Evaluation

2) Physical Safeguards

Facility Access Controls

These standards are designed to implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed. It involves:

Contingency Operations
Facility Security Plan
Access Control and Validation Procedures
Maintenance Records

Workstation Use and Security

This standard refers to how workstations or servers are physically protected from access and intrusion. An organization should review the risks and assess whether any physical locking or other security is required to protect workstations.

As well, policies must be developed and enforced which outline proper workstation use and what activities are appropriate on a business workstation.

Device and Media Controls

Policies must be developed surrounding:

Media use and re-use
Data backup and storage
Records of responsibility and accountability
Media disposal

Book your free consultation with a knowledgeable Server Deployment rep today.

3) Technical Safeguards

The third element of HIPAA compliance on the security side is a technical safeguard. The HIPAA legislation was designed to be technology agnostic in that no specific technical solutions are recommended. As technology evolves, the legislation acknowledges that there may be multiple solutions to any of these recommendations.

Access Control

Unique User Identification
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption

Audit Controls

Audit controls involve using hardware, software, and/or procedural mechanisms that record and examine activity in information systems. As a HIPAA compliant solutions provider, we must offer HIPAA compliance monitoring.

These systems should be monitored and reviewed based on the risks particular to the organization. In particular, it should be noted what audits are in place if a security violation occurred. Does the organization have the appropriate audit record in place to track down the source?

Integrity

Data integrity procedures include steps taken to protect protected electronic medical records from improper alteration or destruction. This could be something similar to checksum calculations or digital signatures on files. A HIPAA disaster recovery plan is a critical element of contingency planning and outlines the responsibilities and steps taken when a failure event occurs.

Person or Entity Authentication

HIPAA compliant hosting providers must have mechanisms in place to verify that a person or entity seeking access to electronically protected health information is the one claimed. This could be a password, PIN, or two-step verification.

Transmission Security

Finally, your HIPAA-compliant hosting partner must ensure that health data being transmitted is sent in a secure fashion. This involves a variety of mechanisms where HIPAA-compliant data centers must conduct data integrity checks, and determine what other mechanisms may protect data in transit.

Example Safeguards

As previously mentioned, HIPAA-compliant hosting is unique to the size of your organization and your particular risks. There is no out-of-the-box hosting solution that can achieve full compliance for you without significant investment on your part to maintain compliance. Some examples of hosting safeguards include:

SSL certificates on all domains and subdomains
An encrypted VPN inside your office and between all servers
A robust firewall on all servers
Offsite backups which are also HIPAA compliant
A private cloud environment
Data center SOC 2 TYPE II and SOC 3 TYPE II Certifications

Useful HIPAA Resources

The HHS.gov website is the site for the U.S. Department of Health & Human Services and contains extensive documentation on understanding the standards required for HIPAA-compliant servers. More information on the topic may be found here.

Deploy A HIPAA Server

As you can see, deploying HIPAA compliant server hosting involves a significant amount of time and expense for covered entities and business associates. ServerMania offers a large variety of managed services from HIPAA compliant cloud solutions to dedicated servers in their New York data center and Montreal data center.

Book your free consultation with one of ServerMania’s expert Server Deployment reps who will help you navigate your way around the HIPAA regulations.

About the author

Luc Ayotte

IT Networking/Infrastructure guru

Luc brings a wealth of experience and expertise to the world of server management. With a passion for optimizing digital landscapes and ensuring seamless online experiences, Luc has become an indispensable part of the ServerMania team.