HIPAA Compliant Hosting in a Pandemic: What You Need to Know
More and more practices are going virtual as the coronavirus spreads, and HIPAA compliance and data security are becoming a bigger concern. In fact, about five medical data breaches occur every three days. Not only does technology like video conferencing software need to be HIPAA compliant, but the hosting you use to store your patient’s records also has to be HIPAA compliant. Here is everything you need to know about HIPAA compliant hosting in a pandemic.
What is HIPAA Compliant Hosting?
Whenever you’re dealing with Personal Health Information (PHI) your storage must be compliant with the Health Insurance Portability and Accountability Act (HIPAA). This is essentially a list of guidelines that anything storing sensitive medical data must follow to prevent data breaches and stolen information.
HIPAA compliant hosting follows the heightened security guidelines and data protection strategies established by HIPAA. Therefore, any hosting that stores, transferring, or accesses medical data is required to follow these guidelines below.
What to Look For in a HIPAA Compliant Hosting Provider
When evaluating HIPAA compliant hosting, here are a few things you should check. Keep in mind that HIPAA compliant hosting extends beyond just web hosting. You should also be using HIPAA compliant email hosting and
- Data is Physically Secure: Every server containing PHI data should be physically secured. Most hosting providers store it in a metal cabinet or other solid enclosure that requires a key for access. A quality HIPAA host will also take measures to ensure that it is waterproof and fireproof as well. The facility should also be physically secure and should not be accessible to anyone other than authorized personnel.
- Monitoring: Your hosting provider should also offer a detailed record of any and all data movements and transfers. The person that moved the data should also be recorded.
- Data Backups: Anytime that an ePHI record is about to be moved, the hosting provider should create an exact copy of that file before moving it.
- Authorized Personnel Only: About one-third of HIPAA data breaches are from personnel entering the organization. Before any person is allowed access to ePHI records, they should be thoroughly inspected. This includes not only screening employees, but also screening any contractors and denying entrance to visitors.
- Record of Contractors: If the facility has a broken door handle, a contractor may be required to come to the facility where ePHI records are kept to fix it. Even for something this simple, there should be a detailed record of who was at the facility, what was done, and at what time it occurred.
- Data Destruction: If any data has to be physically destroyed, the process should be recorded and peer-reviewed. The record should include how and when the data was destroyed.
- Data Breach: Should a data breach occur, there should be a record of the time of the data breach and exactly what was affected by it. They should also have a disaster recovery plan that details how they will communicate with the client they host for and their immediate emergency protocol. Healthcare organizations only have 60 days to report a data breach, but it takes, on average, 70+ days to do the reporting. Do yourself a favor and choose a hosting provider that is swift and efficient.
- End to End Data Encryption: Whenever a piece of data is transferred it should be encrypted to ensure ultimate security.
Who Provides HIPAA Compliant Hosting?
If you’re looking for a HIPAA Compliant Hosting provider, contact Host For Web today to see how we can help you!