You may have seen HIPAA compliance appear in your search for a secure web hosting provider, but what exactly is a HIPAA server? What is HIPAA, for that matter? You may also be wondering if you need to be using a HIPAA compliant server? These are all great questions! We first need to start with the term HIPAA, as it’s quite a vital piece to understanding when a HIPAA compliant server is necessary.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (more commonly called HIPAA) mandated necessary protocols be defined and followed when handling Personal Health Information (PHI). PHI records are any form of a medical record that contains information that can identify an individual person. The purpose of HIPAA is to ensure the integrity and confidentiality of the sensitive data within these kinds of records. The 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) modified HIPAA to include electronic Personal Health Information (ePHI). Also, sometimes called Electronic Medical Records (EMR).
What is a HIPAA Server?
A HIPAA compliant server is one that follows the guidelines defined by HIPAA to prevent medical record information data breaches. ePHI data breaches can be detrimental to individual or entity reputations and result in severe legal consequences. In part 164 of the Code of Federal Regulations (CFR) within HIPAA, it specifies:
Paragraph 164.308(a)(1)(i) Standard: Security Management Practices—Implement policies and procedures to prevent, detect, contain, and correct security violations.
HIPAA mandates that entities handling PHI data adopt and invoke their own set of policies to protect the integrity and confidentiality of these records. It’s up to the individual entities to determine how to approach these aspects of protecting the data. The following is a list of sample policies that address these requirements and would constitute a valid HIPAA server:
- Physical Data Storage Security: Any media or servers which contain ePHI data, must be secured from unauthorized physical access. This often includes using locked cages or cabinets.
- Physical Data Destruction Security: Destruction of ePHI data, is usually peer-reviewed and logged by a chain of custody certificates that explicitly state how the data was destroyed.
- Data Access Security: Maintaining remote and physical access control lists and chain of custody logging to ensure every time the data is accessed, it’s by an authorized and documented individual.
- Data Integrity Security: This generally takes on the form of action logging, in addition to the chain of custody logging. Any form of action done to the data must be documented and logged.
- Data Transfer Security: When transmitting data over network interfaces, the connection must be encrypted end-to-end to ensure security.
- Data Breach Reporting: Anytime there is a breach of HIPAA policies, the breach and potential impact of the breach must be documented, logged and reported immediately.
When Do I Need a HIPAA Server?
A HIPAA compliant server is necessary only when storing, transferring, reading, displaying or otherwise accessing any form of data that contains individually identifiable Health Information. Anonymous medical data is not subject to HIPAA or HITECH and is not required to be secured in the same way. In general, if you’re not in the Health Industry, there is no need for a HIPAA compliant server. The CFR part 160.103 specifically defines Health Information as:
Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
How can Liquid Web help?
Liquid Web has you covered! We have designed a robust suite of HIPAA-compliant, fully managed hosting solutions. We take care of all the necessary policy enforcement and documentation with the day to day systems administration of your HIPAA servers. Our support staff is fully armed with the required knowledge to enforce our HIPAA procedures. You can rest assured that we will handle any necessary HIPAA related actions when working on one of your HIPAA servers. You can see a full list of these policies, how we enact them, and our HIPAA compliant offerings here: HIPAA Compliant Data Centers & Solutions. You can even chat with a HIPAA Specialist right away to answer any looming questions you may still have.