What is HIPAA and who needs to comply with it?
HIPAA, The Health Insurance Portability and Accountability Act, was passed into law in August 1996 with the intention of enabling better access to health insurance, reducing health care fraud and abuse, and lowering the overall cost of health care in the U.S. It applies to all business entities who store patient data electronically. Those who must comply are:
- Health Plans
- Health Care Clearing Houses
- Health Care Providers (doctors, dentists, chiropractors, etc.)
Two Rules were implemented to define HIPAA Privacy and Security:
- HIPAA Privacy Rule: Mandatory compliance - April 14, 2003
- HIPAA Security Rule: Mandatory compliance - April 21, 2005
The HIPAA Privacy Rule sets standards for how protected health information "in any form or medium" should be controlled and specifically requires that privacy and security be built in to the policies and practices of health care providers, plans, and others involved in health care.
The HIPAA Security Rule is the first comprehensive Federal protection for the privacy of personal health information and identifies standards and implementation specifications that organizations must meet in order to become compliant.
General Requirements of the HIPAA Security Rule
Established that covered entities must do the following:
- Ensure the confidentiality, integrity and availability of all electronically protected health information the covered entity creates, receives, maintains or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
- Ensure compliance by the workforce.
How does Skadoit help business entities become HIPAA complaint?
- HIPAA Privacy & HIPAA Security Rules
- Physical Security
- Private and Public Encryption Keys
- Logical Security
- Online and Offsite or Remote Backup
- Written Contingency Plan
Encrypting data during backup: All data being backed up is encrypted with 256-bit encryption prior to transfer and sent through a secure 128-bit SSL tunnel to our Skadoit datacenters. Maintaining Encryption of data on Skadoit servers: All backed up data maintains the 256-bit encryption while stored "at rest" in a Secure Data Center.
Skadoit servers are located in a Tier 4 datacenter protected by 24 x 7 x 365 on-site staffed security and technicians, electronic card key access, biometric access, and security cameras inside and outside the building. Within the datacenter, Skadoit servers are protected within cages under lock and key.
Users have a choice of using a Skadoit generated 256-bit key or managing their own private key to encrypt their data.
Limited access to backed up data is strictly controlled by Skadoit personnel and may be accessed by clients via the web using the password protected, web-based Skadoit administrative console and supplying a valid encryption key. Internet access is strictly controlled and protected utilizing sophisticated intrusion detection.
Skadoit is an automated online and offsite or remote backup and functions as a key component in the disaster recovery plan of any organization as protection against hardware failure, theft, virus attack, deletion, and/or natural disaster.
The HIPAA Security rule requires that covered entities have a written contingency plan for responding to system emergencies, including a detailed plan concerning the data backup and recovery process in the event of a disaster.
NOTE: There is no standard "HIPAA Certificate of Compliance" for backup software and services. For more information about HIPAA and HIPAA compliance, contact your legal counsel or refer to the HIPAA section of the U.S. Department of Health and Human Services' website: http://www.hhs.gov/ocr/hipaa/