The HIPAA, signed into law in 1996, goes through periodic updates and regulation changes to stay current with the digital age. This is important as the healthcare industry is one of the top targets for cybercriminals, due to the amount of personal information that can be obtained from a successful data breach.
As attacks against the healthcare industry rise, so do HIPAA violations – in fact, 2018 was a record year for HIPAA enforcement, in terms of settlement payments made to the Office of Civil Rights (OCR). Adherence to HIPAA regulations is critical, as the OCR is vigilant for HIPAA violations in this digital age, and one important regulation pertains to HIPAA compliant hosting.
What Makes Data Hosting HIPAA Compliant?
Data center hosting for the healthcare industry has strict regulations according to HIPAA, and so there are several requirements for a data host to be considered HIPAA compliant.
Patient’s protected health information must be encrypted to prevent unauthorized access, including web-based access. Advanced Encryption Standard (AES) is the recommended encryption method, whether its 128, 192, or 256 bit encryption.
The data host must have a secure firewall, and there needs to be a remote VPN access in place. Only people with proper credentials should be able to access the network remotely.
It’s also a requirement that a disaster recovery plan in place, in case of a server malfunction or lost patient records. It’s required that hospital and patient records be on a dedicated IP address that is located outside of the public internet, and the physical storage should be isolated and secure. In other words, not only should the network itself have strong security, but physical security i.e. to the data server room should be physically secure as well.
How To Find An HIPAA Compliant Hosting Provider
A properly HIPAA compliant hosting provider (data center) has to follow several protocols to be HIPAA compliant. One thing that can make it difficult in choosing an HIPAA compliant hosting provider is that there is technically no such thing as HIPAA certification, so you must research which host providers offer truly HIPAA compliant hosting.
There is a large checklist of requirements for a data center to be HIPAA compliant, but a few of them are that the data should have offsite data backups, SSL, SSAE and SOC certifications, an encrypted VPN, firewall, and a BAA (Business Associate Agreement). This is of course only a small list of HIPAA compliant requirements, and you can find a more detailed list on the link above.
HIPAA Violation Penalties
There are different tiers of HIPAA violations, depending on whether the violation was knowingly committed, and a data breach could have been avoided. These tiers and their penalties are:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules. Minimum fine of $100 per violation up to $50,000.
- Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules). Minimum fine of $1,000 per violation up to $50,000.
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. Minimum fine of $10,000 per violation up to $50,000.
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation. Minimum fine of $50,000 per violation.