HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996, and establishes national rules for assuring the confidentiality, integrity, and availability of electronic protected health information, or e-PHI.
Is Platinum Web Services HIPAA Compliant?
As a company, Platinum Web Services cannot be HIPAA compliant, in the same way that we cannot be SEC compliant: we are not a health care or financial company, and therefore are not governed by the regulations or guidelines set for either of these industries.
For HIPAA complaince, this means we are not a "covered entity"; covered entities are one of the following:
- A health plan
- A health care clearing house
- A health care provider who transmits any health information in electronic form in connection with a transaction covered by
The other entity requiring compliance to HIPAA regulation is the "business associate". A business associate is defined as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity". Because backup providers do not use or disclose this information (in activities such as claims processing, data analysis, billing or practice management) but merely store it, Platinum Web Services does not fall under HIPAA regulations as a business entity.
How does Platinum Web Services fit in?
Although Platinum Web Services is not covered by HIPAA regulations (and therefore cannot be HIPAA compliant), the use of our services by covered entities is covered. As such, Platinum Web Services' role as a backup vendor is to provide covered entities with services that allow them to comply with both the HIPAA privacy rule and the HIPAA security rule in
- Identifying and protecting against reasonably anticipated threats to the security or integrity of ePHI
- Maintaining continuous, reasonable, and appropriate security protections
- Limiting uses and disclosures of ePHI to the "minimum necessary"
Platinum Web Services assists covered entities in adhering to these guidelines by:
- Encrypting data at the source and in transit, ensuring that no data stored by a Platinum Web Services solution is done so in any unencrypted state
- Storing data in a Tier 3 data center with copious physical security measures and access control policies
- Providing a service to covered entities that allows them to establish appropriate data backup and disaster recovery procedures
As an additional benefit, covered entities must maintain any written security policies and procedures as well as written records of audits, activities, actions and assessments. The Platinum Web Services solution can also assist covered entities in compliance with this regulation by providing robust archiving rules that allow specific, user-definable subsets of files to be stored in Platinum Web Services data center.
While covered entities are required to enact privacy and security policies for protected health information, these entities are given a fair amount of leeway to create a policy that best applies to their situation, and the scope of their business.
What areas present risk or confusion?
One specific area that may present risk or confusion is the "audit controls" section of the HIPAA security rule. In this section, it is stated that a covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI. It is unclear whether our customers need access to this auditing information. Clarification is needed to determine if our data centers would be considered an extension of the entity's information systems, or a seperate system administered by a decidedly non-covered entity (Platinum Web Services).
On February 7, 2011 a rule to establish a permanent Health Information Technology (HIT) certification will go into effect. This rule states that as early as December 31, 2011 a permanent certification process will be put in place to officially endorse EHR (Electronic Health Records) solutions and modules, replacing the temporary certification process put into place in the summer of 2010. Although this certification does not apply to backup solutions, there are two important takeaways from this annoucement. First HIT is becoming recognized by government agencies, and further certification and regulation efforts will likely come; and second, security continues to be a core focus of healthcare regulations and certifications, a focus that we should continue to monitor while examing future opportunities for Platinum Web Services in the HIT space.