OnRamp Is Your Trusted Partner in Helping to Achieve HIPAA Compliance.
HIPAA Compliant Server Overview
There is no such thing as a “HIPAA Compliant Server.” There are HIPAA compliant business solutions or organizations who can help your business meet and maintain HIPAA compliance, but servers cannot receive the same designation. This is because “HIPAA compliancy” refers to the strict adherence to a comprehensive set of federal guidelines that, if followed properly, help ensure the safety and security of all healthcare-related information and data. This designation is reserved for companies that demonstrate, on a continual basis, their ability to account for the confidentiality, availability and integrity of data in motion and at rest.
Data security, at its root, applies to the measures employed to secure computer servers, but a common misconception is that a server itself can be HIPAA compliant.
Let’s debunk this myth, to define HIPAA compliance and how servers fit into the equation.
Under federal regulation, all business associates (BAs) and covered entities (CEs) are subject to the HIPAA Security Rule. This rule, which was set forth in the HITECH Act of 2003, strengthened the privacy and security protections for health information which were established under HIPAA in 1996.
The HIPAA Security Rule’s primary considerations include three main parts. These include:
The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Achieving compliance under HIPAA and HITECH involves much more than a purchase of a single piece of equipment, it involves the entire network and facility within which that device resides. In the case of a server, it must be properly configured and contain an appropriate level of encryption. In addition, it must be paired with firewalls, routers, switches and other devices as part of a complete, physical compute infrastructure, in order to meet these stringent guidelines from a technical perspective.
Furthermore, auditors must be able to view the equipment that comprises the IT environment. If using a shared, public cloud environment, this is nearly impossible to achieve. Your data may be split across multiple servers, possibly even across great geographic distances, with often no real documentation that the proper configurations and encryption levels are maintained. The increased risk to data stored in a public cloud environment and its inability to be properly audited, exacerbates the importance of building a dedicated IT infrastructure designed specifically for your needs, in compliance with the rules and regulations set forth by HIPAA.
Making use of HIPAA Compliant Hosting services and Private Clouds, such as those offered by OnRamp, can eliminate any issues that might arise in a public cloud environment because data is stored on highly secure, highly available, dedicated servers and equipment. Our advanced hosting solutions act as an extension of your IT department, in a flexible, seamless way to maintain data integrity, availability, and confidentiality to ensure your compliance from the entire IT perspective.