HIPAA Compliance

HIPAA (Health Information Portability and Accountability Act of 1996) was enacted as a standard for ensuring the privacy of health information, including health information that is stored and transmitted digitally. Some refer to this as HIPPA but HIPAA is the real name.

Are you HIPAA Compliant?

Since we are not a health provider and carry no health information, HIPAA does not apply to us. However, we provide a secure environment that is compliant with HIPAA standards on physical data security and access safeguards so websites hosted with us can be HIPAA Compliant.

What do I need to do to be HIPAA Compliant?

Wikipedia has a good breakdown of the different parts of the security portion of the act here:

Some of the HIPAA requirements are related to your internal business and staff procedures (I.E. The “Administrative Safeguards”). The requirements that relate to us when you are hosting health information on our servers are “Physical Safeguards”(I.E. Preventing unauthorized access to the physical hardware housing the data.) and parts of the “Technical Safeguards”.

More information on our physical safeguards: Hostek infrastructure - Hostek.com Wiki

What are your recommendations for maintaining HIPAA Compliance?

Recommendations for maintaining HIPAA Compliance include:

Securing Website Data

If you will be storing any health information on your website, we have the following recommendations:

  1. VPS servers should be used over shared hosting to allow more restricted access than is possible in a shared environment.
  2. All access to secure information should take place over https (secure http) using a valid SSL certificate.
  3. Any database systems that store health information should block connections via firewall rules except from your website server.
  4. Regular security scans should be done to identify possible security flaws in your web applications and scripts.

Securing Database Data

  1. Access to databases should be blocked except from your website servers that require access.
  2. Any health information within the database that can be encrypted, should be.

Securing Email Data

  1. All e-mail clients should be configured to use SSL/TLS connections to the mail server.
  2. E-mails sent to external servers cannot be guaranteed to be secure during transit between networks so any health information should be secured using alternate means (encrypted attachment, PGP e-mail encryption, etc.)

Additional Points to consider

As a Datacenter and Hosting provider, our compliances are best demonstrated by maintaining SOC2 type audits and certifications.

Unlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body that determines compliance. HHS does not endorse or recognize the “certifications” made by private organizations.

Even if you get a “HIPAA certification” from an external organization, HHS can still come in and find a security violation. Third party audits and “certifications” do not absolve you from your legal obligations under the Security Rule.

In other words, Hosting companies that advertise they are Hipaa certified are misleading people. It is not an umbrella that makes you instantly compliant as well. There is an evaluation standard in the Security Rule § 164.308(a)(8), and it requires each company (you) to perform a periodic technical and non-technical evaluation to make sure that your security policies and procedures meet the security requirements outlined in the rule. HHS doesn’t care if the evaluation is performed internally or by an external organization—just as long as it happens.

Even though Hostek itself is not a health provider, nor do we carry health information, we do have the ability to provide a secure environment that is compliant with HIPAA standards. But you still have to follow the Hipaa guidelines and do independent evaluations.