HIPAA Compliance

HIPAA (Health Information Portability and Accountability Act of 1996) was enacted as a standard for ensuring the privacy of health information, including health information that is stored and transmitted digitally. Some refer to this as HIPPA but HIPAA is the real name.

Are you HIPAA Compliant?

Since we are not a health provider and carry no health information, HIPAA does not apply to us. However, we provide a secure environment that is compliant with HIPAA standards on physical data security and access safeguards so websites hosted with us can be HIPAA Compliant.

What do I need to do to be HIPAA Compliant?

Wikipedia has a good breakdown of the different parts of the security portion of the act here:

Some of the HIPAA requirements are related to your internal business and staff procedures (I.E. The “Administrative Safeguards”). The requirements that relate to us when you are hosting health information on our servers are “Physical Safeguards”(I.E. Preventing unauthorized access to the physical hardware housing the data.) and parts of the “Technical Safeguards”.

More information on our physical safeguards: https://wiki.hostek.com/Hostek_infrastructure#Physical_security

What are your recommendations for maintaining HIPAA Compliance?

Recommendations for maintaining HIPAA Compliance include:

Securing Website Data

If you will be storing any health information on your website, we have the following recommendations:

  1. VPS servers should be used over shared hosting to allow more restricted access than is possible in a shared environment.
  2. All access to secure information should take place over https (secure http) using a valid SSL certificate.
  3. Any database systems that store health information should block connections via firewall rules except from your website server.
  4. Regular security scans should be done to identify possible security flaws in your web applications and scripts.

Securing Database Data

  1. Access to databases should be blocked except from your website servers that require access.
  2. Any health information within the database that can be encrypted, should be.

Securing Email Data

  1. All e-mail clients should be configured to use SSL/TLS connections to the mail server.
  2. E-mails sent to external servers cannot be guaranteed to be secure during transit between networks so any health information should be secured using alternate means (encrypted attachment, PGP e-mail encryption, etc.)