Clinical Informatics Certification Exam Prep

Board Review Resources & Practice Questions

You are here: Home / ELI5 Series / ELI5: HIPAA Compliant Servers
ELI5:HIPAA_compliant_hosting

ELI5: HIPAA Compliant Servers

by

Ensuring your servers are “HIPAA compliant” sounds like an overwhelming, expensive, and hoop-jumping process to go through. That’s probably why HIPAA compliant hosting services charge around $1,000/month and up (mostly up) for health care organizations to host any ePHI on. And it’s why many, many organizations buy it.

But what if we told you there was another way.

If you have an understanding of the requirements for HIPAA, addressable safeguards, and knowledge of the best practices of InfoSec enabled (and the infrastructure of course), understanding how to make servers HIPAA compliant isn’t too difficult.

But there aren’t any HIPAA hosting requirements to speak of – so how do we know we’re compliant?

First, we need to understand the basics of HIPAA and then we have to make sure we have the applicable safeguards enacted and that anyone else holding on to our data is doing the same.

Quick Overview of HIPAA

If you’re at all interested in setting up your own HIPAA server, this extremely brief review should be cake for you. If it’s not, you should probably outsource hosting….just FYI. If you want a more thorough breakdown, check out this post on HIPAA.

The Privacy Rule

Protects all personal health information (PHI)

The Security Rule

Protects all personal health information (PHI) in electronic format by placing administrative, technical, and physical safeguards on it.

  • Administrative Safeguards
    • Policies and procedures design to clearly show how the entity will comply with the act
      • examples include privacy plans, compliance officers, “need to know”, ongoing training, contingency plan, etc.
  • Technical Safeguards
    • Technology, policy, and procedures that protect and controls access to ePHI
      • Examples include encryption, authentication, configuration management, unauthorized change alerts, etc.
  • Physical Safeguards
    • Physical measures, policies, and procedures to protect ePHI
      • Examples include proper disposal of equipment, scanning of equipment, placing screens out of view of a wandering eye, etc.

Some of the safeguards are required while others are addressable – meaning you don’t have to implement them if you don’t want to, but you better have a darn good reason and other safeguards applied to cover yourself and your data.

The Breach Notification Rule

Breaches must be reported within a specified time period and must be reported to the Secretary of HHS, affected patients, and the media (in certain cases).

Understanding the Nuances and Requirements for Setting up a Compliant Server

Requirement Number One: You need a BAA.  A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A Business Associate Agreement ensures that they’re going to protect your ePHI just as closely as you would. Any self-proclaimed HIPAA compliant service not offering this is bad news. Run away fast.

Requirement Number Two: Ensure proper safeguards are in place. What does this entail? Encryption of all data (duh), only authorized access (duh, but sadly sometimes forgotten), audit trails (log any and all access and modifications), document your network and access points (you’ve done this, right?), and backup your data (duh).

Plus document all of these actions and processes. If you’re not doing all of these, you better get your data on a HIPAA compliant server or service pronto and work on securing your data…like yesterday.

 

If your organization is in a good place security wise – setting up a HIPAA compliant server shouldn’t be too hard. It will probably be the administrative burden that makes you go to an outside-hosted solution.

Benefits of Using Outside HIPAA-Compliant Hosting Services

  • You don’t have to maintain servers yourself
  • You share or transfer the risk with or to another company
  • You don’t have to purchase infrastructure and hardware

Drawbacks of Using Outside HIPAA-Compliant Hosting Services

  • Very high costs
  • Additional agreements may need to be drafted
  • Additional considerations for application hosting may need to be discussed

 

Remember – whether you choose to outsource ePHI hosting or keep it in-house is dependent on your organization and situation. Please don’t take this article for legal advice regarding HIPAA and ePHI/PHI.

References and Resources

5 Questions to ask your HIPAA Hosting Provider

HIPAA Compliant Hosting Explained

ELI5: HIPAA

3 Non-negotiable Security Practices for Clinical Information Systems

 

Related & Recommended Posts

InformaticsPro

Our goal is to help physicians become board certified in clinical informatics as painlessly as possible. We provide free resources as well as paid practice exams and quizzes, board review books, guides, and more to help you prepare for and pass your clinical informations board subspecialty certification exam.

Get a free copy of our quick reference guide