how to evaluate a hipaa compliant data cente

1. How to Evaluate a HIPAA Compliant Data Center

2. HIPAA Compliant Data Center The U.S. Department of Health and Human Services defines certain administrative, physical and technical safeguards to HIPAA compliant data centers. The best way to assure the required security is in place is to review the data center’s SAS-70 audit report. The audit report should specifically cover the processes for the data center’s physical security, network security and access controls.

3. If you host your data with a HIPAA compliant data center, certain administrative, physical and technical safeguards should be in place, as defined by the U.S. Department of Health and Human Services.   Although all service providers tout their data centers as secure, how do you confirm it truly is HIPPA compliant? HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company dealing with patient records must ensure all the required physical, network and process security measures are in place and followed. HIPAA Compliant Data Center 3

4. When evaluating providers, the following safeguards must be in place: Physical safeguards - include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This requirement includes transferring, removing, disposing and re-using electronic media and protected health information (abbreviated as PHI). Technical safeguards - require access control to allow only authorized personnel to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption. The Minimum Safeguards 4

5. Audit reports (or tracking logs) - must be implemented to keep records of activity on hardware and software. This procedure is especially useful to pinpoint the source or cause of any security violations. Solution providers should keep very detailed records in their building monitoring system, down to the second when somebody accessed a badge reader on a door.   Technical policies - should also cover integrity controls, or measures put in place to confirm that PHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are keys to ensure any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact. A HIPPA compliant data center must ensure crucial healthcare data it handles for providers and insurers will be safe and protected in the event of a disaster.  Network, or transmission, security - is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of PHI. This requirement covers all methods of transmitting data, including email, Internet, or even over a private cloud network. The Minimum Safeguards 5

6. Healthcare IT departments can assure HIPAA compliant hosting by running its servers and data storage in HIPPA compliant data centers. The best way to assure the required security is in place is to review the data center’s SAS-70 or SSAE 16 audit report. The audit report should specifically cover the processes for the data center’s physical security, network security and access control to the data on the server. Turn to Audit Reports 6

7. A SAS-70 designation confirms the data center complies with established auditing standards. The audit is conducted by an independent, third-party CPA. SAS-70 certification includes two types of audit reports: Type I – The first step in the auditing process evaluates the organization’s description of their internal controls. Type II – Includes the Type I report and it evaluates how the controls were operating from when the Type I audit was first conducted to six months thereafter. Turn to Audit Reports 7

8. The Staggering Price of Non-Compliance HIPAA has been in place for a long time now, but its enforcement and the financial impact of violations have been hard to pinpoint in the past. However, recent cases show violations can be expensive. Massachusetts General Hospital discovered Health and Human Services is getting serious about HIPAA violations. The hospital agreed to pay the $1 million to settle potential HIPAA violations. Massachusetts General’s case involved the loss of protected health information (PHI) of 192 patients. The loss works out to over $5000 per record. 8

9. The Staggering Price of Non-Compliance A supplemental act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which supports the enforcement of HIPAA requirements by raising the penalties of health organizations in violation of HIPAA Privacy and Security Rules. The HITECH Act was formed in response to health technology development and increased use, storage and transmittal of electronic health information. Healthcare IT organizations must ensure HIPPA compliant data centers have the required safeguards in place. A SAS-70 certified data center can help demonstrate compliance.

10. Michael Duckett is President of CoreLink Data Centers, a leading provider of data center hosting and managed services solutions in Chicago, Las Vegas, Phoenix and Seattle. For more information about HIPAA compliant data centers, visit http://www.corelink.com/medical-and-healthcare-it-solutions.htm today. About the Author 10