The United States requirements for securely managing Information systems in Health Care are substantially governed by federal regulations, specifically HIPAA. The detailed requirements and responsibilities are covered by the HIPAA Omnibus Rule, which was revised in 2013. Initially, these regulations for safeguarding health information applied primarily to health care delivery providers and insurers known as “covered entities”.
Electronic Protected Health Information (ePHI)
Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.
Under HIPAA, PHI that is linked based on the following list of 18 identifiers must be treated with special care:
- Geographic Identifiers
- Social Security Numbers
- Health Insurance Beneficiary
- Phone Numbers
- Email Addresses
- Medical Record Numbers
- Account Numbers
- Certificate / License Numbers
- Vehicle Identifiers & Serial Numbers
- Device Identifiers & Serial Numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) Address Numbers
- Biometric Identifiers
- Unique Numbers, Characteristics, or Codes
- Full-face Photographic Images
Covered entities are liable under the final rule for violations resulting from the acts or omissions of a business associate if that business associate is an agent of the covered entity and the business associate is acting within the scope of the agency arrangement. If the business associate is not acting within the scope of that agency arrangement, the business associate is therefore liable.
HIPAA Omnibus Rule
Business associates now include any of the following types of entities:
- A health information organization, e-prescribing gateway, or any other entity that provides data transmission services to a covered entity and requires access on a routine basis to PHI.
- An entity that offers a personal health record on behalf of a covered entity. However, if the personal health record is not offered on behalf of a covered entity, then the personal health record vendor is not a business associate.
- A subcontractor of a covered entity as well as any subcontractor of a business associate, if the subcontractor accesses PHI of the covered entity.
- An individual who creates, receives, maintains, or transmits PHI on behalf of a covered entity.
Under HIPAA, all covered entities and business associates must secure health information data under a prescribed controls framework that provides adequate safeguards for physical facilities, administrative requirements (e.g. adequate security policies), and technical infrastructure.
While health care demand for information technology and especially secure storage is vast, MSPs and VARs must have a clear strategy and plans for reducing potential liability. Steps that need to be taken include:
- Ensuring the confidentiality, integrity, and availability of all electronic PHI (ePHI) they create, receive, maintain or transmit.
- Identifying and protecting against reasonably anticipated threats to the security or integrity of the information
- Protecting against reasonably anticipated, impermissible uses or disclosures
- Ensuring compliance by internal workforce and sub-contractors
Achieving Compliance with Hexistor
Do you perform functions on behalf of a Covered Entity that involve the access or maintenance of electronic protected health information (ePHI)? If so, that makes you a Business Associate. Hexistor has retained industry-leading security experts and is committed to assisting our Business Associate partners with their HIPAA compliance needs.
Steps to Compliance
- Maintaining Physical, Administrative and Technical Safeguards over ePHI.
- Business Associate Agreements (BAAs). Hexistor will sign your BAA.
- Strong encryption is the best defense for keeping data safe.
- Local Appliance have on-site encryption available
- AES-256 encryption will keep your clients data safe on the device, in flight, and at our compliant data centers. Local encryption ensures data integrity and security through proven methods of encryption regulation key.
- Will come with per agent or per device key control; passphrase based.
- Secure Data Centers. Datto’s bi-coastal U.S. data centers are secured and meet SSAE16 standards.
There is no magic bullet. But if you are a partner that maintains or accesses ePHI on behalf of Covered Entities, Hexistor is here to help de-mystify HIPAA compliance and help you navigate the path to achieving the proper physical, administrative and technical safeguards you need to for you and your clients to rest assured.
Service Information HIPPA