HIPAA Compliant IT Security and Best Practices

Posted 10.19.11 by
wpadmin
Blog

If you collect, process, store or transmit protected health information (PHI), including medical records, you will need to be able to pass a HIPAA audit to meet HIPAA compliance. To meet security safeguards, certain technologies and procedures are recommended in the industry, even if not specifically outlined by HIPAA standards.

The rules and regulations in the Code of Federal Regulations (CFR) that pertain to HIPAA dictate that Online Tech, as a business that deals with clients’ PHI, must:

  1. Protect the availability, integrity and confidentiality of PHI
  2. Have Business Associate Agreements (BAAs) with clients who have PHI
  3. Report any violations of PHI misuse to the OCR (the Office of Civil Rights that audits, fines and charges companies and individuals for HIPAA violations).

We deploy all of the following technology internally that helped us pass our own HIPAA audit, and allows us to offer HIPAA compliant hosting solutions in our HIPAA compliant data centers (we also happen to offer and recommend these services to our clients that need to be HIPAA compliant):

  • Private Firewall services (either a Virtual or Dedicated Firewall) with VPN for remote access
  • Managed Cloud Server (good to ensure high availability and access to data and applications)
  • Separate database and web servers for production
  • Separate test server (while the same for web and database, it is not the same for production)
  • Offsite backup at a minimum, although disaster recovery is better
  • SSL certificates and HTTPS for all web-based access to PHI (to ensure secure connections)
  • Set up private IP addresses
  • Encryption – best practice to do while it is stored in the database and especially in transport. PHI should be encrypted to the NIST standard, Advanced Encryption Standard (AES).

HIPAA compliance is about more than just deploying the right technology; it’s also about your own policies and procedures. What are some best practices for your company to do to meet HIPAA compliance?

  • Documentation – write out data management, security, employee training and notification plans.
  • Implement a password policy.
  • Don’t use public FTP (File Transfer Protocol) to move your files.
  • Only use VPN access for remote access.
  • Implement login retry protection in your application.
  • Document a tested and detailed disaster recovery plan to recover data in the event of a disaster.

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Related Resources

Love free information? Then you should check out these other related resources:

View All Resources

COMPLIANT CLOUD

PCI Compliance in Cloud Computing

COMPLIANT CLOUD

HIPAA Compliance End to End

CLOUD COMPUTING

Accelerated Cloud Adoption; a silver lining?

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.