HIPAA compliance for data centers is a hot topic these days, one that requires co-location and managed services entities to become compliant with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. However, challenges loom as organizations are unsure at times as to what specific regulations within HIPAA apply, to whom, and the applicable best practices to implement for some of the areas considered rather vague by the HIPAA language itself.
Take note of the following best practices regarding HIPAA compliance for data centers, courtesy of Flat Iron Technologies, LLC, one of North America’s leading security & consulting firms offering a wide array of compliance services.
Get Educated on HIPAA
One of the biggest challenges data centers have with HIPAA compliance – along with many other businesses and industries – is the true lack of understanding regarding the Health Insurance Portability and Accountability Act (HIPAA) of 1996. What is it? How many sections/provisions must we comply with? What’s the difference between the Security Rule and the Privacy Rule? These are just a small sample of questions asked by data centers over the years – and to be fair – they’re good questions that demand clear and comprehensive answers. For an ounce of clarity, data centers should pay particular attention to the HIPAA Security Rule, which encompasses the following:
- HIPAA Security Rule 164.308 | Administrative Safeguards
- HIPAA Security Rule 164.310 | Physical Safeguards
- HIPAA Security Rule 164.312 | Technical Safeguards
- HIPAA Security Rule 164.314 | Organizational Requirements
- HIPAA Security Rule 164.316 | Policies and Procedures
Specifically, any entity seeking to comply with the HIPAA Security Rules safeguards, requirements, and policies and procedures mandates, should be focusing on the above areas, which require an enormous amount of documentation, along with implementation of various internal controls and related processes and practices. Remember this – HIPAA, like most compliance mandates – is highly dependent on documentation (i.e., policies and procedures) along with formalized processes and practices.
In the world of data centers, there’s two (2) broad services – traditional co-location (“ping, power and pipe”) and managed services, ranging from managed network devices, to managed OS, along with managed applications. Whatever silo you fall into – one or the other, or a hybrid of both – will ultimately dictate how far of a scope HIPAA compliance can stretch, specifically for the HIPAA Security Rule. Specifically, when data centers actually start offering managed OS and managed application – along with managed network services – the scope of HIPAA begins to grow, and quite large. Think about it, every system that stores, processes and/or transmits Protected Health Information (PHI) that’s under the umbrella of managed services is now in scope, which essentially means managed services providers are in scope for all aspects of the HIPAA Security Rule, from 164.308 to 164.316.
Conduct a HIPAA Readiness Assessment
Unearthing and answering the “who, what, when, where, and why” of HIPAA compliance can only be successfully achieved when undertaking a thorough HIPAA Readiness Assessment – an essential element for properly defining scope and determining areas of remediation. This is incredibly important because it helps effectively assess scope (as just discussed), which in turn determines what policies, procedures, and related processes are needed for ensuring compliance. A readiness assessment – when conducted properly – is a highly useful exercise yielding significant findings for any organization.
Additionally, it often turns up critical issues and threats requiring immediate attention and subsequent remediation. Flat Iron Technologies, LLC, offers in-depth HIPAA Security Rule and HIPAA Privacy Rules Readiness Assessment checklist documents for helping ensure full compliance with the two most important and well-known mandates within HIPAA. Remember, HIPAA compliance is largely about documentation, so the need for comprehensive HIPAA policies and procedures (discussed next) cannot be overlooked.
Understand the Importance of HIPAA Policies and Procedures
HIPAA is no different than SOC 1, SOC 2, PCI DSS or FISMA compliance in that all major compliance mandates require a heavy dose of information security and operational specific policies and procedures. Documentation is often the key to regulatory compliance success, and HIPAA is no different, so data centers will need to obtain comprehensive HIPAA policy templates. From the well-known HIPAA Security Rule requirements to the often complex HIPAA Privacy Rule mandates, data centers will need to properly scope out their own HIPAA responsibilities for ensuring they have the correct documentation in place.
And if data centers are undertaking SSAE 16 SOC 1 and/or SOC 2 compliance – for which many do – an essential “mapping” of HIPAA policies to their current documentation for other compliance audits is the very first initiative to undertake.
Compliance is not ONE and DONE
Not at all, it’s actually about continual compliance – everyday – doing what needs to be done for ensuring the safety and security of Protected Health Information (PHI), and that can be a challenge. Even with that said, compliance with HIPAA is much more achievable when all mandated policies and procedures are in place, along with ensuring that security awareness training and risk assessments are undertaken each year.