Many types of businesses in the medical field or an affiliated industry must meet the stipulations of the Health Insurance Portability and Accountability Act, so HIPAA compliant hosting requirements are essential to know. The real issue with compliance that’s not enjoyable is, well, all of it. Nobody wants to have to think about a bunch of regulations. However, none of it is that difficult to understand.
With that in mind, this article is geared toward looking at HIPAA compliant hosting requirements in a simple, checklist format. Many of these parameters are useful to anyone, whether you use a hosting service, third-party datacenter, or have the servers in-house.
Remember the core considerations of HIPAA for any companies working with electronic medical records are privacy and security. The HIPAA Privacy Rule & Security Rule are what you need to be concerned with if you are getting certified (unless you are a health insurance company or similarly provide healthcare plans), and they are the same HIPAA compliant hosting requirements you should consider in a web hosting company.
Below is a basic checklist for HIPAA compliance:
- Firewall – Essentially, you need to have firewalls fully implemented on your site. There are three basic types of firewalls: hardware firewalls, software firewalls, and web application firewalls (WAFs). Typically an infrastructure has a combination of hardware and software firewalls, along with ones specifically designed for web applications, because apps create their own unique challenges and have become such a frequent target for intrusions. Making sure that technology is system-wide is one of the HIPAA compliant server requirements.
- Two-factor authentication – On all parts of your site (from the administrative control panel associated with the server – cPanel, Plesk, etc. – to your CMS – WordPress, Joomla!, etc. – to the operating system running throughout the network – Windows, Linux, OpenBSD, etc.), you need two-factor authentication. Two-factor authentication is simple to establish, similar to the other HIPAA compliant server requirements. You just go into the control panels for each of your various systems and make the configuration changes. Obviously you need to get everyone prepared for this change, because people need to be able to continue to log in. You just need everyone’s phone numbers (if that’s the second point of contact) and to make sure they have anything they need installed before making the transition. Many of the systems you’ll see will be based on Google Authenticator, which will require everyone to have that app installed on their cell phones; though there are plenty of other brands you can choose.
- Offsite backup – You want to have your data backed up in an external location. Obviously this requirement is a reasonable way to ensure all the EMRs are safe. Note how many of these requirements are probably already in place for your company. Very little is required additionally to the security parameters that most enterprises and many SMBs already have up and running. Again, hosting services must meet this and the other HIPAA compliant hosting requirements as well.
- SSL certificates – You need secure sockets layer (SSL) certificates established throughout your site, for any domains and subdomains on which sensitive information is accessed. In other words, any parts of your site that need login credentials should always also have an SSL. Each server used for your site needs its own SSL certificate installed. Note that some companies provide certificates that can be installed on multiple or unlimited servers. Also be aware that an EV certificate, creating a green address bar, and/or respected brand name such as Norton/VeriSign (the new high-end Symantec SSL) or GeoTrust (one of Symantec’s second-tier options) can help increase trust and credibility for your system. Less costly certificates can be purchased from Comodo, GoDaddy, etc..
- SSL VPN (virtual private network) – an SSL VPN (secured sockets layer VPN), enabled in part by your SSL certificates, allows VPN capabilities through a web browser such as Firefox or Safari. Sometimes VPNs use Internet protocol Security (IPsec) to establish security between server and client. An SSL VPN, alternately, allows access to the system without an end-user having to install a piece of software on her own device, making smooth business possible while still meeting HIPAA compliant server requirements.
- Encrypted VPN – The VPN needs to be encrypted, and you want it to be strong, for more reasons than HIPAA. The NSA can get inside VPNs too, and you may or may not want them in there. Not all VPNs are the same, so do your homework.
- Private Hosted Environment — You cannot share resources with any other entities if you want to achieve HIPAA compliant server requirements. Working with a hosting provider with experience related to properly privatizing your infrastructure obviously helps.
- SSAE 16 Certification – Note that Statement on Standards for Attestation Engagements (SSAE) 16, created by the American Institute of Certified Public Accountants (AICPA), is more stringent, in some ways, than HIPAA is regarding security. It’s not a requirement for HIPAA, but seeing that certification should make you feel more confident that a company meets HIPAA compliant hosting requirements.
- Business Associate Agreement (BAA) – If you use any outside entity to assist with your EMR, including a hosting company, you must have a BAA signed with that organization. That document does not clear you of your own responsibilities related to HIPAA, but it does delineate the role that the hosting company takes and ways in which they should be held liable for any breaches, etc..
Those are the basic parameters. Here is additional information related to HIPAA from the US HHS Department. If you need hosting or colocation, Atlantic.Net provides HIPAA compliant versions of both. If you need help selecting a web hosting company, ask these four questions.
Other HIPAA Pages and Services
By Brett Haines