HIPAA stands for Health Insurance Portability and Accountability Act. This act is being incorporated to set the standard and protect sensitive patient data. If any company deals with protected health information (PHI), then it needs to ensure that all the required network, physical and other process security measures are there in place and are followed.
In this act, it will include anyone who provides treatment, payment and operations in healthcare which is covered entities (CE) and anyone with access to patient information and provides support in treatment, payment or operations namely the business associates (BA). Moreover, the subcontractors or business associates of business associates also need to be in compliance.
What does the Privacy Rule of HIPAA Address?
The Privacy Rule of HIPAA addresses the accessing, saving and sharing of medical and personal information of any individual and the Security Rule of HIPAA specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically. This data is also known as electronic protected health information (ePHI).
A HIPAA compliant hosting provider have a certain administrative, physical and technical safeguards in place with accordance to the U.S. Department of Health and Human Service and so if you are hosting your data with, then you will get all those.
Technical and Physical safeguards and services provided by HIPAA compliant host are
- The physical safeguards include access and control facility which is limited having authorized access in place. All the covered entities or the companies which needs to be HIPAA compliant must have policies about use and access to workstations and electronic media. Moreover, this will include the transfer, remove, dispose and re-use of electronic media and electronic protected health information (ePHI).
- The safeguards of technical is required to access control for allow only the authorized to access electronic protected health data. The access control feature includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
- Tracking logs or Audit reports need to be implemented for keeping records of activity on software and hardware. This is especially useful so that it is possible to pinpoint the source or cause of any security violations.
- The technical policies must include the integrity controls and the measures which are put in place to confirm that ePHI hasn’t been modified or corrupted. IT disaster offsite backup and recovery are the key features to ensure that any electronic media errors or failures can be quickly back to normal and patient health information are able to recover accurately and intact.
- The last technical safeguard required for HIPAA compliant hosts is network or transmission security in order to protect against unauthorized public access of ePHI. This includes all the concerns relating to transmission of data, whether it is email, Internet, or even over a private network, such as a private cloud.
In 2009, a supplemental act called The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed supporting the enforcement of HIPAA requirements and it raised the penalties of health organizations which will be imposed on violating HIPAA Privacy and Security Rules. This act was formed in accordance with the health technology development and increased use, storage and transmittal of electronic health information.