HIPAA-Compliant Hosting provides a foundation for healthcare providers to build applications and services that comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which safeguards themselves and their client’s Personal Health Information (or PHI). Anyone who has access to PHI is required by law to follow these rules and regulations to protect the healthcare data's privacy in their charge.
HIPAA-compliant hosting must conform to HIPAA's legal, administrative, technical, physical, and administrative requirements that allow healthcare providers to build applications and services that conform to the law. Unfortunately, HIPAA-compliant hosting is complicated without the proper support. To conform to these regulations, HIPAA-compliant hosting solutions must, among other things, encrypt data, have disaster recovery plans, provide risk management policies, maintain network security and enforce other robust security rules and technical procedures for the physical servers. A healthcare provider must store, transmit, and process electronic protected health information (ePHI) or public health information (PHI) in accordance with HIPAA rules, which is where HIPAA-Compliant Hosting comes into play.
Standard web hosting solutions are incapable of protecting and properly securing PHI and ePHI health data. It simply lacks the infrastructure and safeguards needed to uphold the rules and regulations regarding the transmission, processing, and storage of protected health information.
What is HIPAA?
HIPAA is the federal law that protects sensitive patient information from being shared without the patient’s consent. HIPAA also includes provisions for compliance, enforcement, and breach notification. But, the most important rules for healthcare providers are the Privacy and Security Rules. The Privacy Rule defines what information is protected, who is covered, and their responsibilities regarding healthcare information. This rule comprises several components that encompass the storage, access, disposal, and control of private health information. It also requires that a covered entity—the healthcare provider in this case—obtain “satisfactory assurances” that any business associates—including hosting providers—will protect healthcare data in line with HIPAA.
What is HITECH?
Congress created the Health Information Technology for Economic and Clinical Health (or HITECH) Act to help drive the implementation of electronic health records (or EHR) and its supporting technology in the United States.
This law encouraged the sharing of electronic PHI between doctors, hospitals, and other entities to cut down on healthcare costs by sharing information. It also expanded the scope of security and privacy protections made available under HIPAA. It increased the possible legal ramifications for non-compliance and provided for more stringent enforcement of HIPAA.
HIPAA Protected Information
Protected health information (PHI) refers to any individually identifiable health information defined under the HIPAA Privacy Rule. This information mainly consists of medical data that could be used to identify an individual and created, disclosed, or used as part of providing healthcare services. PHI includes information about medical conditions, healthcare that has been provided to an individual, and payment information related to healthcare. This info consists of a patient’s past, present, or future physical or mental health or condition.
Some identifiers of PHI include:
- Telephone numbers
- Email addresses
- Social Security numbers
- Geographic data
- Web URLs
- Medical record numbers
- Health plan beneficiary numbers
- Certificate or license numbers
- VIN and license plate numbers
- Device identifiers and serial numbers
- IP addresses
When transmitted by electronic media, this sort of sensitive health information is known as ePHI—or electronic protected health information. Any protected health information that is received, stored, transmitted, or created via electronic media is considered ePHI.
What is a HIPAA Server?
A HIPAA server follows specific compliance guidelines as defined by HIPAA to prevent medical record information data breaches. HIPAA mandates that all entities handling PHI or ePHI data adopt their own set of policies to protect those records’ integrity and confidentiality. This change means it’s up to the entities involved to determine how to approach these aspects of protecting the data.
Do I Need a HIPAA Server?
In general, if you’re not in the Health Industry, there is no need for a HIPAA compliant server. A HIPAA compliant server is only needed when storing, transferring, reading, displaying, or otherwise accessing any form of data that contains individually identifiable Health Information records. The Code of Federal Regulations (or CFR Part 160.103) specifically defines Health Information as:
“Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for providing health care to an individual.”
"Department of Health and Human Services § 160.103 - GovInfo." https://www.govinfo.gov/content/pkg/CFR-2013-title45-vol1/pdf/CFR-2013-title45-vol1-sec160-103.pdf. Accessed 18 Feb. 2021.
Liquid Web HIPAA Compliant Servers
Below is a cross-section of Liquid Web’s policies to assist clients in implementing a HIPAA-Compliant server. This info is not a complete summary of all the requirements that need to be met, but it covered some of the most critical aspects.
Liquid Web policies ensure the procedure for access control by Liquid Web Admins is strictly monitored and supervised. Stringent protocols dictate the level of physical and electronic access to any stored public health information (PHI). These measures include ongoing employee security awareness training, continuous assessment of workstation security, and access monitoring.
We have procedures to regularly test and review the information about system activity, including audit logs, access reports, and security incident tracking records for Liquid Web hardware and software.
Liquid Web offers extra services for hardening dedicated servers, including malware scanning, monitoring/reporting of discrepancies, enforced secure password policies, mitigation procedures, and limited access. If accessing client data within an intranet, it is recommended to use the SSLVerifyCLient and SSLVerifyDepth Apache directives for encrypted transmission of HIPAA/HITECH data. However, this is only beneficial if/when you are aware of all of your users. Typically, this is not for general use cases as it is not a requirement to ensure a safe configuration.
We execute ongoing risk assessments in our internal incident management plans. This includes chain-of-custody documentation that governs the receipt, removal, and destruction of any HIPAA-related hardware where PHI has been stored. Procedures are also in place to cover Liquid Web hardware from natural disasters, other emergencies, or security threats.
A reliable backup service is available to clients for disaster recovery, emergency mode operations, including continuity of business plans for authorized individuals.
Auditor Based Compliance
To gain HIPAA Compliance, the client is required to employ a third-party HIPAA compliance officer/auditor that certifies the server(s) is truly HIPAA compliant. Once hired, the officer/auditor will work directly with the client (not Liquid Web) to inspect the client’s system and configurations. This task is accomplished via a questionnaire and inspection, which the customer must complete.
Liquid Web is unable to certify compliance as we are not a compliance auditor. Liquid Web can, however, assist by offering a Business Associate Agreement (or BAA) which details the items that Liquid Web is responsible for. This document aids the client in completing the required audit attestation documents. A client may require further documentation from Liquid Web asserting our compliance. These documents are online and open for public consumption.
How Can We Help?
Download Liquid Web’s free e-book on HIPAA Compliant Hosting today. We have designed a robust suite of HIPAA-compliant, fully managed hosting solutions to assist with the necessary policy enforcement and documentation of your HIPAA servers’ day-to-day systems administration. Our support staff is fully armed with the required knowledge to enforce our HIPAA procedures. You can rest assured that we will handle any necessary HIPAA-related actions when working on one of your HIPAA servers. A full list of these policies, how we enact them, and our HIPAA compliant offerings are seen here: HIPAA Compliant Data Centers & Solutions. You can even call us at 800.580.4985 or chat with a HIPAA Specialist right away to answer any questions you may have.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.