How HIPAA Targets Your Data (and More Companies Than You’d Think)

A photo of a fake skeleton holding an x-ray up to a window

September 7, 2017 Disaster Recovery Blog, Disaster Recovery News Blog, High Availability Blog Articles, Regulatory Compliance Blog

HIPAA is one of those names that everyone recognizes. Despite being designed to set the standard for medical patients’ privacy, HIPAA affects more companies than you’d think. How you store and manage your data is key in determining whether or not you’ll meet compliance or not.

 

HIPAA (1996) Defined

HIPAA (the Health Insurance Portability and Accountability Act), is one of the most widely known regulations by companies and consumers alike. Setting the standard for protecting sensitive patient information, HIPAA was designed to ensure that stored data is secure, confidential, yet available when needed.

While you might think that only health insurance companies should be concerned about abiding by HIPAA, this is untrue. HIPAA also affects covered entities (CE) – or anyone who provides treatment, payment, or similar healthcare operations – as well as business associates who could access patient information.

More specifically, companies affected by HIPAA include:

  • Healthcare providers (like hospitals and clinics)
  • Healthcare clearinghouses (such as banks that offer healthcare claims processing)
  • Health plans (insurers, HMOs, employers and schools that collect, store or transmit electronic protected health information)
  • Business associates (such as private sector vendors and third-party administrators, as well as subcontractors of these associates)

In general, any institution that manages, transmits, or has access to data pertaining to patient information can be assumed to fall under HIPAA.

 

HIPAA and Your Data

HIPAA mandates that your sensitive data have three qualities: privacy, security, and availability.

HIPAA is notable for how it directly addresses data availability requirements. It specifically mandates that relevant organizations “… assure their customers (for example, patients, insured individuals, providers, and health plans) that the integrity, confidentiality, and availability of electronic protected health information they collect, maintain, use, or transmit is protected.” The Act notes the vulnerability of this data, stating that “the confidentiality of health information is threatened not only by the risk of improper access to stored information, but also by the risk of interception during electronic transmission.”

This means that data must be stored in a secure environment, like a private cloud, and be adequately encrypted during transmission to its destination, such as a hot site. Penalties for failure to comply start with the obvious, like lost customers and bad press, but quickly jump to civil and criminal penalties as well.

 

The Solutions You Need to Be Compliant

Do you have a contingency plan in place?

HIPAA specifically mandates that companies have contingency plans that “…establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” This clearly highlights the necessity for both high availability (HA) and disaster recovery (DR).

Without DR solutions in place, the loss of critical – and sensitive – healthcare data would have serious legal and ethical implications. DR is essential to keep your data resilient and timeless in the face of countless scenarios, from natural disasters to hardware failure and simple human error.

In regards to HA, HIPAA defines available data as that which is “…accessible and useable upon demand by an authorized person.” Note the specification of both accessible and useable; these two elements are often mistaken to be synonymous. Although DR solutions keep your data secure, it takes HA data replication and a hot site (or even a private cloud) to be able to restore data and make it useable.

With these solutions in place, your sensitive data will be secure, available, and – more importantly – actionable.

 

In this series we outline how 5 of today’s biggest regulations affect your company’s information security and availability.

If you’re interested in seeing how other regulations affect your data, check out:

  1. The Gramm-Leach-Bliley Act
  2. The Sarbanes-Oxley Act (SOX)
  3. The USA PATRIOT Act
  4. Basel II

 

For more information on how to keep your data secure, available and compliant for regulations like HIPAA, contact us today at 317-707-3941.

 



Back to blog list