What is a HIPAA Compliant Data Center & How to Find One
Choosing a HIPAA compliant data center that meets your IT needs and serves as a trusted partner takes time, but is a critical piece of the puzzle. Non-compliance is not an option for the survival of your organization.
This is a guest post written by Chad Kissinger, Founder of OnRamp.
Stepping into 2017 after a turbulent year of cyber threats and record-setting HIPAA violations, it’s clear that you must have a focus on security and compliance. If you’re one of the many organizations that don’t have the resources they need to build and operate a compliant data center, you’re not alone. Finding the right partner for your requirements can be tough, especially when your HIPAA compliance and the protection of your business-critical data is at stake, but there are steps you can take to find a HIPAA compliant data center.
The HIPAA Security Rule contains standards to safeguard and protect ePHI when it’s at rest and in transit, including administrative safeguards, physical safeguards, technical safeguards, documentation and organizational requirements. Under this rule, you and your service providers (referred to as business associates or BAs) who have access to your sensitive data, are legally responsible for its protection. A HIPAA compliant data center has the proper controls in place to prove that you adequately meet HIPAA’s guidelines. Let’s discuss the standards that comprise the Security Rule. These are required guidelines for you and your HIPAA compliant data center:
The objectives for the administrative safeguards cover a wide set of processes and evaluations—half of the HIPAA security requirements to be exact—and include assigned responsibilities for your organization as well as your vendors. Security awareness training, assigned security responsibilities, risk management, information access management, contingency plans and BA contracts are just a few of the topics covered. The timing for these implementation standards is also critical. For example, ongoing security updates and the documentation of those updates is required.
Physical safeguards protect the facilities in which your data resides. Buildings and workstations should have physical measures, policies, and procedures that protect your ePHI from natural and environmental hazards, as well as prevent unauthorized intrusion. For example, your data center needs proper access controls and validation procedures to keep unwanted guests out. A lesser-known part of this standard includes required and addressable device and media controls—i.e. instructions on how to dispose of media (required) and the importance of data backup (addressable).
Technical safeguards address access control, audit controls, integrity, data transmission security and entity authentication, but do not require specific technical solutions. Your ePHI can be protected through many different tools and solutions—and this is where your data center’s expertise becomes critical. After a full risk analysis, your provider should implement several levels of security to protect your data, including encryption.
Organizational, Policies, Procedures and Documentation Requirements
The final part of the Security Rule requires that you and your partner document all your efforts to protect your ePHI and hold each party responsible for specific tasks noted in your signed Business Associate Agreement (BAA). This legal document states that your BAs must implement the administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of your sensitive data, as stated by the Security Rule, and show how you’re addressing these controls, step-by-step.
Simply put, it’s the collection of these attributes and controls that differentiate a compliant data center from a “standard data center.”
How Do I Find A HIPAA Compliant Data Center?
When searching for a HIPAA compliant data center, you should seek providers with certifications that demonstrate their level of commitment and expertise. Hosting providers undergo annual audits against industry standards to prove that their data center operates with the proper policies, procedures, and controls to offer HIPAA compliant solutions. Use these tips to vet providers:
1: Look for Industry Standard Certifications
- HIPAA: Data centers can achieve a HIPAA compliance through an audit against the OCR Audit Protocol.
- SSAE16 (formerly SAS 70): this standard by the Auditing Standards Board (ASB) measures the controls relevant to financial reporting. You’ll want to look for Type 2, which notes the auditor’s opinion of how well the service provider demonstrated their controls for specified period of time. An update to SSAE18 is available for SOC reports starting May 1, 2017.
- SOC 1, SOC 2, and SOC 3: The Service Organization Controls reports developed by AICPA to measure the controls of a data center. SOC 2 specifically notes the security, availability, integrity, confidentiality and privacy of a service provider, and much like SSAE16 Type 2, the SOC 2 Type 2 report includes the verification of controls from an independent auditor. The SOC 3 report acts as a summary of SOC 2 and is publically available.Without these certifications, you cannot be sure that a service provider is truly compliant.
2: Review Company Testimonials, Reviews, Case Studies and Ask for References
- You can learn a lot by evaluating a service provider using their past performance. Customer testimonials, reviews, case studies and references provide valuable insights into the data center’s operations and give you details about their strengths and weaknesses—directly from your peers.
Since founding OnRamp in 1994, Chad Kissinger has driven the growth and evolution of the company from a start-up ISP to an established provider of data center services, with a focus on HIPAA compliance and high security. A founding member, Former President and Legislative Chair of the Texas Internet Service Provider Association and leader in the development of OnRamp’s HIPAA Compliant Hosting solutions, Kissinger is an expert in data center technology, data privacy and security issues.