Hipaa Compliant Data Centers

Copyright © Online Tech 2012. All Rights Reserved. page 1 of 36


HIPAA Compliant Data Centers

1.0. Executive Summary ............................................................................................................. 3

2.0. Impact of HITECH and HIPAA on Data Centers ................................................................. 3

3.0. What is a HIPAA Compliant Data Center? .......................................................................... 5

3.1. Administrative Safeguards ................................................................................................... 5

3.2. Physical Safeguards ............................................................................................................ 6

3.3. Technical Safeguards .......................................................................................................... 7

3.4. Organizational Requirements .............................................................................................. 8

3.4.1. Business Associate Agreements .............................................................................. 9

3.5. HIPAA Compliant Data Center Architecture .................................................................. 11

3.5.1. Requirements .............................................................................................................. 12

3.5.2. Enhanced Security ...................................................................................................... 14

4.0. Outsource vs. In-House Hosting ........................................................................................... 16

4.1. Benefits of Outsourcing Hosting ........................................................................................ 16

4.2. Risks of Outsourcing .......................................................................................................... 17

5.0. Vendor Selection Criteria ................................................................................................... 19

5.1. HIPAA Compliant Business Associates ......................................................................... 19

5.2. Other Key Data Center Considerations ......................................................................... 22

6.0. Conclusion ............................................................................................................................. 27

7.0. References ............................................................................................................................. 28

7.1. Questions to Ask Your HIPAA Hosting Provider ............................................................... 28

7.2. Example BAA ..................................................................................................................... 29

7.3. Data Center Standards Cheat Sheet ................................................................................. 35


1.0. Executive Summary

The increasing pressure to implement meaningful use, reduce healthcare costs, and improve

care outcomes while still protecting patient interests has led to strategic review and overhaul by

many healthcare providers and vendors. Evaluating outsourcing options to allow industry

experts to manage parts of the healthcare IT components is an obvious part of the equation,

and the intensive capital expense, human resource, security, and maintenance demands

specific to data centers make these prime candidates for cost savings.

However, balancing the resource benefits of outsourcing data center and hosting services with

the risks of engaging an off-premise Business Associate is daunting in the wake of increasing

PHI (protected health information) breaches and penalties. Ultimately, finding the best blend of

resources that can fulfill the availability, integrity, and confidentiality requirements to protect

ePHI (electronic protected health information) - and thereby protecting the patients, Covered

Entities, and Business associates - is the challenge at hand.

This white paper explores the impact of HITECH and HIPAA on data centers. It includes a

description of a HIPAA compliant data center IT architecture, contractual requirements, benefits

and risks of data center outsourcing, and vendor selection criteria.

2.0. Impact of HITECH and HIPAA on Data Centers

Protecting the confidentiality, integrity, and availability of electronic protected health information

(ePHI) is the essence of the HIPAA Security Rule1. Since data centers typically store, transmit,

or process ePHI, they must comply with the HITECH standards and citations to meet HIPAA

compliance. The same risk analysis, administrative safeguards, physical safeguards, technical

safeguards, and ongoing due diligence apply just as much in the data center as in a prov ider’s

facility.

While there is some debate about the responsibilities of business associates for the protection

of ePHI, all indications point towards business associates being held as responsible as covered

entities. Consider the latest notice of proposed rulemaking that speaks to the extension of

responsibilities from covered entities to business associates:

As with the Privacy Rule, the Security Rule requires covered entities to have contracts or

other arrangements in place with their business associates that provide satisfactory

assurances that the business associates will appropriately safeguard the electronic

1U.S. Dept. of Health and Human Services, HIPAA Security Series: Basics of Risk Analysis and Risk Management;

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf























protected health information they receive, create, maintain, or transmit on behalf of the

covered entities.2

Moreover, both covered entities and business associates should bear in mind that prosecution

by the Office of Civil Rights (OCR) under HITECH is not the only legal concern. The last year

has witnessed an increase in state and consumer lawsuits against both covered entities and

business associates. In January 2012, Minnesota Attorney General filed a lawsuit against

Accretive Health, for failing to protect the confidentiality of over 23,000 patient healthcare

records.3

The safest and most diligent practice to protect ePHI is to ensure that the same policies, risk

management, safeguards, and ongoing compliance governance standards are followed no

matter where ePHI resides. This means that data centers, whether in-house or outsourced,

need to fully embrace complete responsibility for ePHI. In the areas of administrative

safeguards, such as ongoing HIPAA awareness and training for all employees, healthcare

providers tend to be stronger. In the areas of technical safeguards and PHI availability,

2 U.S. Dept. of Health and Human Services, Federal Register Part II;

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf

3 Minnesota Attorney General, Attorney General Swanson Sues Accretive Health for Patient Privacy Violations;

http://www.ag.state.mn.us/Consumer/PressRelease/120119AccretiveHealth.asp










































professional data center companies that invest extensively in redundant facility infrastructure

and security may be the safer bet.

Ideally, either a healthcare provider would have infinite resources to build and maintain multiple,

high-availability data centers or a data center hosting business associate would have a thorough

understanding of HIPAA compliance including a HIPAA security risk analysis and management,

policies, training of all employees, and ongoing HIPAA compliance audits. While both ideals

exist, they are in the minority. In these cases, the weighing of the pros and cons falls back to the

risk analysis and management to choose the best option that will maintain ePHI confidentiality,

integrity, and availability.

3.0. What is a HIPAA Compliant Data Center?

Data centers need to adhere to the administrative, physical, and technical safeguards and

standards set forth by the HITECH act to be HIPAA compliant. Following is a brief review of the

administrative, physical, and technical safeguards with specific notes applicable to data centers.

3.1. Administrative Safeguards

The Security Management Process described under 164.308(a)(1) includes requirements for

HIPAA Risk Analysis and Risk Management, which “form the foundation upon which an entity’s

necessary security activities are built.” (68 Fed. Reg. 8346.)”4

Start by reviewing the data center’s HIPAA Report on Compliance, sometimes referred to as an

HROC. Providers who maintain their own data centers are likely to have this included in their

risk analysis and management plan already. This can serve as a useful point of comparison

across the various HIPAA standards, citations, and implementation specifications when

outsourcing to a third-party data center Business Associates.

Data center providers who have invested in an independent HIPAA risk assessment should

provide a copy of their HIPAA compliance report upon request, at least under NDA. When a

data center business associate can provide a HIPAA compliance report, it will save covered

entities (CEs) significant costs of evaluating HIPAA compliance, which should happen in

advance of entering into a partnership. If a CE elects to outsource data center hosting services

to a business associate that does not have, or does not provide, an independent HIPAA report

on compliance available, the CEs will have to bear the burden of evaluating compliance and

proving due diligence.

Other Administrative Safeguards that should be in place in all data centers that store, transmit,

or process ePHI include:

4 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Basics of Risk Analysis and

Risk Management; http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf























● Assigned Security Responsibility 164.308(a)(2)

● Workforce Security 164.308(a)(3)

● Information Access Management 164.308(a)(4)

● Security Awareness and Training 164.308(a)(5)

● Security Incident Procedures 164.308(a)(6)

● Contingency Plan 164.308(a)(7)

● Evaluation 164.308(a)(8)

● Business Associate Contracts and Other Arrangements 164.308(b)(1)

3.2. Physical Safeguards5

STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS

Facility Access

Controls

§ 164.310(a)(1) Contingency Operations

Facility Security Plan

Access Control and Validation Procedures

Maintenance Records

Workstation Use § 164.310(b)

Workstation Security § 164.310(c)

Device and Media

Controls

§ 164.310(d)(1) Disposal

Media Re-use

Accountability

Data Backup and Storage

Nothing beats an on-site visit to ascertain the level of security. Think of it this way. This data

center might hold the data of hundreds, or thousands, of your patients. You want to feel the

same sense of solid trust and ease from your visit - the same way you want your patients to feel

towards their own care providers. As an extension of a covered entity, the business associate

should foster a sense of expertise, careful procedure, and a willingness to communicate openly

about questions and policies. Imagine the first night of sleep after moving your PHI to this place

- will you sleep soundly, or lie awake in dread?

Things to check for include the following:

● Dual-factor authentication - If not personally escorted, anyone in the data center

should be wearing a badge to identify them and need at least 2 forms of identification for

access such as badge and access code, or biometric fingerprint scanner and badge. If

5 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Physical Safeguards;

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf























you go for a data center visit and are not asked to sign-in and wear a badge, security

should be considered less than adequate.

● Prolific use of video surveillance - Ask to see the video logs and how long they are

kept (should be at least 90 days).

● Visitor logging - The entries in the logbook should directly match the video surveillance

tapes. Ask when the last independent auditor confirmed the match of visitor logs with the

video archives. Ask who the auditor was and investigate the auditor’s company to

confirm their credibility.

● Procedure Documentation - Ask to review the documentation for the procedure to

allow access by unannounced visit, phone call, or email. Don’t just ask the security or

compliance officer - ask anyone. If there is a consistent policy and procedure in place,

you should get a consistent and reassuring answer.

3.3. Technical Safeguards6


Access Control § 164.312(a)(1) Unique User Identification

Emergency Access Procedure

Automatic Logoff

Encryption and Decryption

Audit Controls § 164.312(b)

Integrity § 164.312(c)(1) Mechanism to Authenticate Electronic Protected

Health Information

Person or Entity

Authentication

§ 164.312(d)

Transmission Security § 164.312(e)(1) Integrity Controls

Encryption

The HIPAA Security Rule does not require specific technology solutions, but it does outline the

standards and implementation specifications. The Rule’s intent is to allow covered entities the

flexibility to determine which security measures are a good fit for their company, depending on

size and different needs.

The HHS provides guidance around the implementation specifications below:

6U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Technical Safeguards;

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf























Unique User Identification – Assign a unique user ID to each employee that can allow

your company to track user activity while the user is logged into an information system.

Emergency Access Procedure – Establish a written procedure outlining the protocol to

access ePHI in the event of an emergency, including policies around who needs access

and possible ways to gain access.

Automatic Logoff – Automatic logoff should be implemented on every workstation with

access to ePHI after a certain period of inactivity.

Encryption and Decryption – This is not required, but instead recommended as a

safeguard to be implemented only if deemed reasonable and appropriate for the covered

entity. Determine which ePHI or software programs are appropriate for encryption.

Audit Controls – This refers to implementing a system that logs and monitors activity on

information systems with ePHI.

Authentication – Intended to protect the integrity of ePHI, the existing systems should

have functions or a process to check for data integrity, such as digital signatures. When

it comes to person or entity authentication, proof of identity should include a password or

pin, smart card, token, key and/or biometrics (fingerprints, facial patterns or voice

patterns).

Transmission Security – For integrity controls, the primary method to protect ePHI is

through the use of network communications protocols, although other methods include

data or message authentication codes. Encryption is another option to consider after

reviewing your company’s methods of transmission, frequency of transmission, and

potential issues found in your risk analysis.

3.4. Organizational Requirements7


Business associate

contracts or other

arrangements

§ 164.314(a)(1) Business Associate

Contracts

Other Arrangements

Requirements for

Group Health Plans

§ 164.314(b)(1) Implementation Specifications

Policies and Procedures

Documentation (Time Limit, Availability and

Updates)

The Organizational Requirements found in the HIPAA Security Rule concern contracts and

agreements with business associates (BAs) and the policies, procedures and documentation

guidelines for group health plans.

7 U.S. Dept.of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and

Procedures and Documentation Requirements; http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf






















Business Associate Contracts (or Agreements, BAA) – This ensures business

associates will implement the HIPAA safeguards to protect ePHI they receive or

maintain on behalf of the covered entity. It also ensures that any subcontractors they

work with will also follow the safeguards. The agreement requires BAs to report all

security incidents and allow contract termination if any violations occur (read more about

BAAs below).

Other Arrangements – This is allowed only if the both the business associate and

covered entity are government entities, and they enter into a memorandum of

understanding (MOU) that addresses all of the objectives of a BAA.

Group Health Plans – The implementation specifications are the same as those

required for BAAs (above). Required policies, procedures and documentation must be

retained for a period of at least six years, be available via print or Intranet, and reviewed

and updated based on environmental or operational changes that affect ePHI security.

3.4.1. Business Associate Agreements

Not only does an effective business associate agreement need to be in place between covered

entities and their business associates; the contractors and vendors of the business associate

must also share and sign business associate agreements if there is any potential of access to

PHI data.8

The business associate agreement (BAA) is the ideal place to clarify the roles and

responsibilities between the covered entity and the business associate. In addition. For

example, the OCR requires the following documentation in the event of a PHI breach:

Documentation

Documentation of the covered entity’s admission, denial, or a statement indicating that

the covered entity has obtained insufficient evidence to make a determination regarding

the allegations.

Documentation of an internal investigation conducted by the covered entity in response

to the allegations including a copy of the incident report prepared as a result of the

laptop and server theft.

Documentation of the covered entity’s corrective action taken or plan for actions the

covered entity will take to prevent this type of incident from happening in the future,

including documentation specifically addressing, if applicable:

o Sanctioning of the workforce member(s) who violated the Privacy and Security

Rules, in accordance with the covered entity’s current policies and procedures,

and as required by the Privacy Rule.

○ Re-training of appropriate workforce members.

○ Mitigation of the harm alleged, as required by the Privacy Rule.

8 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and




HIPAA Policies and Procedures

A copy of HIPAA policies and procedures related to the disclosure of and safeguarding

of PHI and specifically EPHI.

A copy of the policies and procedures implemented to safeguard the CE’s facility and

equipment.

Physical Safeguards

Evidence of physical safeguards implemented for computing devices to restrict PHI

access.

Business Associate Agreements and/or policies and procedures implemented to ensure

Business Associates have implemented the appropriate safeguards (if applicable).

Risk Assessment

A copy of the most recent risk assessment performed by or for the CE, per Security Rule

requirements.

Evidence of security awareness training for involved workforce members including

training on workstation security.

Evidence of the implementation of a mechanism to encrypt EPHI stored on the

workstations.

Breach Notification

A copy of the written notification of the breach provided to the affected individuals.

A copy of the written notification given to the media. This should include a list of all

media sources to whom this notification was given and any media reports (news stories

or articles) stemming from this notification.

Much of the required documentation requires months of planning and implementation. If you

sign a BAA today, and have a PHI breach tomorrow, are you confident that your data center can

provide the necessary information to respond in a thorough and timely manner to the OCR?


3.5. HIPAA Compliant Data Center Architecture

The diagram below shows elements of a HIPAA compliant hosting architecture.

To create this, we worked with Certified HIPAA Security Specialists and Certified HIPAA

Professionals who matched each HITECH standard, specification, and implementation with a

common technology application to meet Security Rule compliance.

Each element is described in the following pages.


3.5.1. Requirements

Antivirus

The Security Awareness and Training Standard of the HIPAA Security Rule (Section

164.308(a)(5))9 specifically calls out the need for “Protection from Malicious Software.” We all

use antivirus on our laptops, so using this on a server operates under the same premise: safety

and security for critical infrastructure. This is one of the most important elements of security you

can buy for the money for a managed server.

OS Patch Management

Routine OS patch management is required in today’s IT climate. And yes, there are many older

servers, older applications, and just plain old implementations out there that IT administrators

are scared to touch. These are, for example, the MS-SQL 2000 implementations that are

connected to disparate systems, ERP systems, and other legacy applications that IT managers

feel might break if patched. These are often unpatched due to lack of funding for application

redesign, and sheer terror on the part of some IT managers to implement change for the

security and good of the company.

With all the security bulletins, holes, bugs, zero-day exploits, viruses, and other security

vulnerabilities announced daily for operating systems, applications, and databases, a solid

process is needed to design a patch process that safeguards all systems. This includes

choosing one or more patch process tools, processes, and procedures, and then setting up a

unified test, staging, and production environment to test the patches.

Backup and Disaster Recovery

The HIPAA Contingency Plan standard described in section 164.308(a)(7)10 requires a data

backup plan, disaster recovery plan, emergency mode operation plan, testing and revision

procedures, and application and data criticality analysis. Part of proving due diligence is holding

CEs and BAs responsible for ensuring PHI is not destroyed or lost in the event of a disaster.

Offsite data backups are imperative and offsite disaster recovery is strongly recommended.

Patient care is not a 9-5 job; a primary driver behind electronic health records is the portability

and availability of patients’ records to health care providers around-the-clock. Availability means

that PHI is always available, accessible and never lost. When a patient arrives in the emergency

room at two o’clock in the morning, the electronic health records need to be available so the

physician can address the emergency with all of the patient’s records at his fingertips.

9 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Administrative Safeguards;

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf

10 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and













































Protecting healthcare data, and ensuring its availability means putting procedures in place to

mitigate disasters, and having a solid plan in-hand to activate when a disaster occurs. The

infrastructure to do this is defined by two perspectives:

1. Disaster Prevention - Putting all the tools in place to minimize the probability of an

outage in the data center infrastructure, server hardware, software and network

connectivity.

2. Disaster Recovery - Assuring that the applications and data can be recovered and

restored in a reasonable timeframe to continue running the business and making patient

data available if a disaster occurs in the primary data center.

High Availability, Redundant Firewalls

Firewalls can help meet both administrative safeguard requirements to protect PHI from

malicious software (164.308(a) (5)) and the technical safeguard requirements to tightly control

access to PHI (164.312(a) (1)). The data center should be protected by redundant, or high

availability, firewalls so that if one fails due to a hardware, software, or power issue, a second

firewall can still stand between PHI and a malicious attack. Intrusion detection and intrusion

prevention capabilities should also supplement firewall protection, and are often a feature of

many modern firewall and universal threat management appliances.

Plan or evaluate with the knowledge that it’s not a matter of “if” a firewall fails, it’s “when” a

firewall fails. Look for every single point of failure in the data center and plan high-availability

redundancies anywhere they exist. For example, the firewalls should be plugged into separate

power strips that are connected to separate power feeds in the data center. If the redundant

firewalls are plugged into a single power strip that blows a breaker fuse, all redundancy is lost.

High Availability, Redundant Routers

Routers are responsible for passing data to and from the data center from the Internet. In order

to ensure that PHI is always available, the data center should use redundant routers to ensure

that data traffic can still continue when one router experiences a hardware, software or power

failure. Routers should be powered by separate power strips connected to separate power

feeds for true redundancy.

High Availability, Redundant Internet Service Providers

If the data center relies on a single Internet Service Provider (ISP), PHI availability will be at risk.

Ask if the data center that will be protecting your PHI has separate ISPs that connect via

different sides of the data center. Ask if the redundant service providers connect all the way to

the data center directly through the same or disparate last-mile connections – different last-mile

fiber connections will provide enhanced redundancy.

HIPAA Trained Staff and Documented Policies

The most secure technologies are rendered useless without a culture of processes that ensures

that secure policies and procedures are documented and consistently followed. Review of


independent audit reports should reflect a foundation of secure policies that guide day-to-day

operations.

HIPAA Compliance also requires that all staff receive HIPAA security training and ongoing

security updates. Ask potential vendors if all members of their staff have received HIPAA

security training, where HIPAA compliance documents and policies are kept (every employee

should know), and the date of the last training and security update. A company with a culture of

security and compliance will have answers readily at hand.

3.5.2. Enhanced Security

The following section describes additional enhanced security measures a CE can put in place to

further hedge against the risk of a PHI breach. While these enhanced protections come at an

additional cost to the IT budget, the cost of cleaning-up the aftermath of a breach are far greater

to the business.

Dual-Factor Authentication

One of the weakest links in protecting PHI is the use of simple passwords. While it may seem

like common sense that passwords based on a spouse’s name, anniversary, or simple patterns

like “abc123” or “123456” are not sufficient to protect PHI, ensure there is a policy of using

complex passwords of at least 8 characters that combines lower case letters, upper case letters,

numbers, and special symbols. A policy of changing passwords regularly (every 90 days) is a

good start.

To protect against weak or stolen passwords, implement dual-factor authentication. This

requires multiple forms of identification for a login such as a code and a username/password

combination. Biometric login systems may require a fingerprint along with a code or keycard.

For the cloud and web-based applications, dual-factor authentication systems require a

username, password, and a code that is sent to a mobile device by phone call or text message.

Ask your cloud provider if they provide dual-factor authentication services for VPN’s and web-

based logins or contact with a service such as Duo11 to improve PHI protection.

SSL Certificate (Web Apps)

To secure PHI data in a web-based application, an SSL (Secure Socket Layer) certificate is a

must. The SSL certificate is used by software that encrypts all data moving between two or

more end-points (i.e. from a browser, to a server containing the application or website). Since

many healthcare applications are now hosted in the cloud and accessed by browsers (Internet

Explorer, Chrome, Firefox), the SSL certificate is essential to proper security.

File Integrity Monitoring (FIM)

File Integrity Monitoring refers to ensuring the integrity of the files on a server. The basic

technique is the comparison of the current file to the known, safe baseline. While file changes

are expected and within the normal realm of daily interaction and activity, there are a few key

11

Duo Security; http://www.duosecurity.com

http://www.duosecurity.com/








changes that may trigger additional investigation such as a change of ownership, security

settings, or configuration values.

When the enhanced security of FIM makes sense, a separate server is often set up to perform

this function using one of many third party software applications to monitor and evaluate file

changes and alert administrators of any suspicious activity.

Web Application Firewall (WAF)

A Web Application Firewall is specifically built to monitor website traffic for the transmission of

sensitive data and potentially block any network traffic that does not fit within the allowable

configuration. For PHI applications that involve a website where security is paramount, use of a

WAF may make sense. It is a powerful tool in the security toolbox for consideration, and can

prevent leakage of PHI data by unauthorized users.

Encryption

Encryption for data at rest and in transit is very strongly recommended. When transmitting PHI,

encrypted data should be sent over an encrypted connection for ultimate security. When using

encryption for PHI, one should follow the NIST (National Institute of Standards and Technology)

Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices

standards for encryption.12

Data at rest constitutes data stored on servers or backup systems (tape or disk) while not in

use. This data needs to be encrypted in case of disk theft or unauthorized access. Many data

breaches are due to lost or stolen unencrypted portable devices (laptops or smartphones) - PHI

should not be stored on portable devices, but instead in HIPAA compliant data centers that

serve the data to mobile devices. That way, thousands of patient records aren’t stored on any of

your computing devices, but instead in a secure location that can be accessed through a mobile

device. This greatly improves your PHI security - if you lose the device, you won’t lose all of the

sensitive data as well.

Additionally, the HIPAA breach notification rule only requires reporting of unencrypted data

breaches in cases where 500 individuals are affected. If your data is encrypted and you

experience loss or theft of data, you are not required to notify the HHS, the media or any

affected individuals.13

12 NIST, Special Publication 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health

Insurance Portability and Accountability Act (HIPAA) Security Rule;

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

13 U.S. Department of Health and Human Services, Guidance to Render Unsecured Protected Health Information

Unreadable, or Indecipherable to Unauthorized Individuals; http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

http://csrc.nist.gov/






































http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html






















4.0. Outsource vs. In-House Hosting

4.1. Benefits of Outsourcing Hosting

Save on Costs

Why would a covered entity with sensitive data outsource their hosting solution to a third-party?

A HIPAA compliant hosting provider that has already passed an independent HIPAA audit can

save time and money by eliminating the need to audit your vendor in addition to your own

business. While it does not release you of the obligation and responsibility of meeting

compliance, it helps you more readily achieve compliance and mitigate risk.

Additionally, managed hosting allows your IT team to focus on the applications directly related

to your business, not on the day-to-day details involved with server updates, data center

infrastructure, network management and security which can more readily be outsourced to a

trusted provider.

Security

A HIPAA compliant hosting provider can provide the latest tested and audited technology to

help achieve compliance and secure your ePHI. With a variety of required and recommended

security methods, you can trust experienced, certified professionals to maintain, monitor and

accurately generate logs of activity on your servers.

Outsourcing allows you to benefit from the various levels of security that a quality hosting

provider should have in place. These advantages include physical security, environmental

controls, logged access and video surveillance, and multiple alarm systems to detect

unauthorized access.

Network security includes protection of sensitive infrastructure, including managed servers,

cloud, power and network infrastructure built with redundant routers, switches and paired

universal threat management devices to protect sensitive information.

While the HITECH Act requires private accessibility on request by your patients, your

outsourced hosting provider should never access PHI, but instead build, maintain and monitor

the secure infrastructure that your sensitive information is stored and transmitted in.

Availability

The use of high-availability (HA) solutions in a fully redundant and compliant data center can

allow clients to increase their uptime and PHI availability. Using an HA infrastructure can reduce

the risk of business downtime due to a single point of failure. Outsourcing to a HIPAA hosting

provider means your business can take advantage of your data center operator’s design of


power connections, UPS (Uninterruptible Power Supplies) systems, generators, air conditioning

and networks.

Flexibility

Outsourcing allows you to benefit from the latest virtualization technologies, such as fifth-

generation VMware that dominates the market for applications that require a high degree of

scalability. Choosing a high-performance managed cloud allows for the ability to scale servers

up and down as needed to respond to the demands of end-users with fast deployment time.

4.2. Risks of Outsourcing

However, the risks of outsourcing HIPAA compliant hosting to a service provider can mean

extending your circle of trust to include a third-party vendor. These service providers, known as

business associates (BAs), open your company up to the potential risk of a PHI breach.

According to HHS.gov, 62 percent of the total number of patient records breached involved a

business associate, increasing the need to thoroughly vet anyone that touches your PHI.

The stakes for both covered entities and business associates is getting higher, with HHS now

extending responsibility to protect PHI to all business associates throughout the “chain of trust.”

States are also exercising their rights to prosecute business associates under other provisions

besides the HITECH Act.

HIPAA Breach Fines and Penalties

A covered entity’s lack of due diligence can result in costly fines and penalties. The fines and

penalties for a HIPAA violation (a data breach, whether lost or stolen) range from $100 per

violation with a maximum fee of $25,000 for repeat violations to $50,000 per violation with a

maximum fee of $1.5 million.14

The fine amount varies by different classification levels dependent on violation criteria, with

minimum and maximum penalties for first-time/repeat violations and annual fees:

14 Office of Civil Rights, Federal Register Vol. 74, No. 209, Rules and Regulations;

http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf

http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf


HIPAA Violation Types and Penalties15

VIOLATION TYPE MIN. PENALTY MAX. PENALTY

Individual didn’t know they

violated HIPAA

$100/violation; annual max of

$25,000/repeat violations

$50,000/violation; annual

max of $1.5 million

Reasonable cause and not willful

neglect

$1,000/violation; annual max

of $100,000/repeat violations


max of $1.5 million

Willful neglect but corrected with

time


of $250,000/repeat violations


max of $1.5 million

Willful neglect and is not

corrected


of $1.5 million


max of $1.5 million

Another category of a HIPAA violation is determined by covered entities and individuals that

knowingly breached the HIPAA regulations – for these, criminal penalties apply.

The maximum offense is a HIPAA breach committed with intent to sell, transfer or use

individually identifiable health information for personal/financial gain or malicious harm, resulting

in fines of $250,000 and imprisonment for up to ten years.

Ultimately, covered entities are held responsible when it comes to monetary and reputational

consequences, although responsibility will extend to include business associate in recent

proposed revisions to the HIPAA rules.

15 American Medical Association, HIPAA Violations and Enforcement; http://www.ama-assn.org/ama/pub/physician-

resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page

http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page




5.0. Vendor Selection Criteria

5.1. HIPAA Compliant Business Associates

When a covered entity decides to outsource HIPAA compliant hosting to a business associate,

they need to look for certain indicators of compliance to ensure due diligence in vetting their

service provider. Due diligence can help a covered entity prevent a potential data breach

resulting in costly fines and reputational and business damage.

HIPAA Report on Compliance (HROC)

As the number of reported data breaches and the cost of these data breaches to the healthcare

industry rise, it becomes imperative for a covered entity to select business associates that have

invested in an independent audit and can provide a copy of their audit report to ensure they are

following compliant policies and procedures.

Ask your HIPAA hosting provider if they can provide a copy of their independent audit report

(also known as a HIPAA Report on Compliance, HROC), stating they are compliant across all

54 HIPAA citations, 136 audited components and 19 standards.

HIPAA Certification vs. Compliance

Beware of data center operators that claim to be “HIPAA certified.” There is no governing body

or federally recognized HIPAA certification, for covered entities or business associates alike.

The correct term and usage is “HIPAA compliant,” meaning their policies, procedures,

technology and staff implement security controls that are aligned with the HIPAA rules.

While, in some cases, certification may mean they have taken an unofficial exam and passed

with knowledge of HIPAA-related material, it does not mean their facilities, staff or solutions are

actually compliant with the HIPAA standards. It also does not mean using their services will

make your company compliant.

Other Data Center Audits

While an HROC is specific to healthcare and the protection of PHI, other data center audits can

give you additional guidance and insight into a vendor’s ongoing compliance and level of

operating standards, as well as the quality of service you can expect to receive.

● SAS 7016 - The Statement on Auditing Standard No. 70 was originally used to measure

a service provider’s controls related to financial reporting and recordkeeping. Two types

are recognized by the AICPA (American Institute of CPAs) - Type 1 reports on a

16 American Institute of CPAs, SAS No. 70 Transformed;

http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspx

http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed–ChangesAheadforStandardonServiceOrganizations.aspx

http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed–ChangesAheadforStandardonServiceOrganizations.aspx


company’s description of their operational controls, while Type 2 includes an auditor’s

opinion on how effective these controls are over a specified period of time.

● SSAE 16 - The Statement on Standards for Attestation Engagements No. 16 replaced

SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial

reporting. Type 1 reports on a data center’s description and assertion of controls, as

reported by the company. Type 2 provides a description of an auditor’s test the accuracy

of the controls and the implementation and effectiveness of controls over a specified

period of time.

● SOC 117 - One of the three new Service Organization Controls (SOC) reports developed

by the AICPA, this report measures the controls of a data center as relevant to financial

reporting. It measures the same controls as an SSAE 16 audit.

● SOC 218 - This report is a very detailed account of the technical aspects as they relate to

controls specifically concerning IT and data center server operators. The five controls

include security, availability, processing integrity (ensuring system accuracy, completion

and authorization), confidentiality and privacy. There are two types: Type 1 reports on a

data center’s system and suitability of its design of controls, as reported by the company.

Type 2 includes everything in Type 1, with the addition of verification of an auditor's

opinion on the operating effectiveness of the controls.

● SOC 319 - This report includes the auditor’s opinion of SOC 2 components with an

additional seal of approval to be used on websites and other documents. The report is

less detailed and technical than a SOC 2 report.

● PCI DSS20 - The Payment Card Industry Data Security Standards was created and

implemented by major credit card issuers and it applies to companies that collect, store,

process and transmit cardholder data. Data center operators that host cardholder data

need to have undergone a PCI audit to achieve an attestation of compliance report (the

latest version is 2.0), and they should have a full understanding of what technical

components can help your company meet the PCI requirements.

As with any type of audit, covered entities must review each individual compliance reports to

determine the full scope and depth of their applicability. Each SSAE 16 or HIPAA audit is unique

to each hosting provider.

17 American Institute of CPAs, SOC 1: Report on Controls at a Service Organization Relevant to User Entities'

Internal Control over Financial Reporting;

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Report.aspx 18

American Institute of CPAs, SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy; http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc2report.aspx

19 American Institute of CPAs, SOC 3: Trust Services Report for Service Organizations;

http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc3report.aspx

20 The PCI Security Standards Council, PCI SSC Data Security Standards Overview;

https://www.pcisecuritystandards.org/security_standards/

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC1Report.aspx




































Business Associate Agreement

The lack of a business associate agreement (BAA) implies negligence and may fall under the

HIPAA violation category of Willful Neglect. Check to make sure your business associate has a

thorough BAA with documented policies that discuss how they handle PHI, from breach

notification to contract termination and data ownership.

Part of your due diligence as a covered entity is to understand your hosting provider’s

documented policies and procedures when it comes to securing your data and handling a data

breach. Check for their timeline to notify covered entities in their breach notification policy - they

are required by law to do so in a timely manner, and subsequently, covered entities must notify

affected individuals within 10 days.21

Another key clause of a BAA should have terms and effective dates, with language around how

PHI will be handled after termination, including the return and destruction of data. Data

ownership, access and rights should also be discussed in the agreement.

PHI Breach Insurance Protection

Even if your business associate and your company have policies and procedures in place to

prevent a data breach, unexpected data loss can still occur. Covered entities may want to ask

for a copy of the business associate’s PHI breach insurance policy. This is important to cover

the cost of notification, investigation, litigation and any levied penalties. If the business associate

has been put out of business or severely compromised by the substantial costs of a breach, all

of the burden will fall upon the covered entity.

Insurance policies exist that will mitigate the costs of PHI breach notification, litigation and

penalties. It’s a basic protection every business associate should invest in.

HIPAA Policy Training

Your HIPAA hosting provider should have documented internal processes and policies that are

considered best practice. Within their organization, they should have an appointed Risk

Management Officer that oversees that the custom policies and procedures are being followed

and are in compliance with the HIPAA regulations.

The Risk Management Officer also conducts employee training to educate and implement the

HIPAA policies and procedures that affect the day-to-day operations of their organization.

Employee training is important when it comes to any business associate, as many data

breaches (and HIPAA violations) are a result of human error, or an employee mishandling

sensitive data, and not hacker-related. Ask your hosting provider for the most recent date of

their HIPAA policy training and percent of employees that have completed training during the

vendor selection process.

21 U.S. Department of Health and Human Services, Breach Notification Rule;
























5.2. Other Key Data Center Considerations

Ownership

As stated earlier, data ownership is especially important to review in your hosting contract and

BAA. Some providers reserve the right to access, allow access, and claim ownership of your

sensitive information while it is hosted on their servers or in their environment. This is an issue

that can occur especially in the cloud, as some cloud vendors may claim legal ownership of the

data once in their possession.

Another consideration is ownership and operation of the data center(s). Some hosting providers

will provide a service that is run in data centers owned and operated by different companies -

this further extends the “chain of trust” to include potentially unknown third-parties. If you have

no way of knowing who has access to or controls the environment that houses your servers, let

alone their level of compliance, you are putting your PHI and business at risk.

Geographical Location

Hosting facility location is another important consideration, as data centers located in certain

regions are more susceptible to natural disasters, risking the complete destruction of your data.

Choosing a data center located in a neutral, low-risk region such as the Midwest is one step

closer to complete data safety.

Another factor is climate - a region that allows a data center operator to take advantage of

natural cooling for most of the year also allows you, as the client, to take advantage of their

operating cost-savings. It also reduces the risk of overheating and potential hardware failure

that could affect your data availability.

Knowing where your data lives is key consideration - if your data leaves the country, do you still

have control of it? Data centers operating outside of the country do not have to comply with

HIPAA regulations, as HIPAA is created and enforced by the United States Department of

Health and Human Services. Once your data travels overseas, it is possible you will be put at

risk of a data breach or HIPAA violation, since international vendors are not required to observe

our federal security regulations.

Disaster Recovery

The HIPAA Security Rule was created to protect not only the confidentiality of ePHI, but also the

integrity and availability of patient records. According to the HHS, “integrity” means that ePHI is

not altered or destroyed in an unauthorized manner.22

Preserving the integrity of information means putting formal data backup and recovery plans in

place to ensure data can be accurately and quickly accessed in the event of a disaster or

22 U.S. Department of Health and Human Services, Summary of the HIPAA Security Rule;

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html





















failure. Location is important when it comes to offsite backup and disaster recovery - a copy of

your PHI in a separate location can preserve the integrity of your information.

The Security Rule also requires on-demand access to patient records, which, in turn, requires

high availability hosting and infrastructure. Choosing a data center operator with a well-designed

geographical separation between their data centers helps availability, as well as having multiple

power grids to further boost utility resiliency should one power provider experience a prolonged

outage.

Data Destruction

The HHS’s guide on specifying technologies and methodologies that render protected health

information unusable, unreadable or indecipherable to unauthorized individuals recommends

that paper, film, or other hard copy media must be destroyed or shredded in a manner that

would render PHI illegible. Electronic media must be wiped or destroyed consistent with NIST

standards outlined in the NIST Special Publication 800-88, Guidelines for Media Sanitization,

rendering PHI irretrievable.23

Ensuring the confidentiality of your sensitive data means knowing where your data goes after

you terminate your contract with your HIPAA hosting vendor. It also means knowing whether or

not there are any copies of the data leftover after you leave the vendor. If any archived,

unencrypted PHI is found on backup tapes or servers, you are putting yourself at risk of a

HIPAA violation. Check your HIPAA hosting provider’s BAA for specific provisions on how they

will handle PHI after contract termination.

High Availability

A high availability (HA) hosting infrastructure is imperative to ensuring data is always

accessible. HA solutions increase uptime and availability and lower risks. It’s not a matter of “if”

something fails, it’s planning for “when” failures happen - and they will. In your evaluation of any

data center - yours or a third-party – you should endeavor to identify all of the single points of

failure. It’s worth an outside opinion if reviewing your own data center (nothing beats an

independent pair of eyes) and when visiting a potential data center Business Associate - ask the

hard questions whenever you suspect complete redundancy is not in place.

With HA protection in place, providers can hedge against the loss of electrical power, network

connectivity disruptions, router failures, firewall attacks, cooling problems, and have peace of

mind knowing PHI is protected, available, and safe.

A managed HIPAA hosting solution takes into account several design factors to ensure no

single points of failure exist. This is true for the data center infrastructure layer components, as

well as the individual servers and components in the rack.

23 U.S. Department of Health and Human Services, 45 CFR Parts 160 and 164;

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf























The major design points for a successful HIPAA hosting implementation include building in

redundancies in critical equipment and infrastructure, including:

Power connections - Dual independent power feeds are run from disparate circuit breakers, to

two separate power supplies in the server. Each power supply on a server is plugged into

separate power strips in the rack. Power strips with digital amp load readouts aid in monitoring

power levels and help avoid tripping a circuit breaker, which would shut down the entire power

strip.

UPS systems - Uninterruptable Power Supplies (UPS) clean and distribute power and provide

backup power through a bank of batteries in the event of a power outage. The clean power from

the UPS is stable; therefore, any fluctuation in power, both power surge and brown-out, is

regulated by the UPS.

Generators - Each UPS is fed with one or more power feeds from the utility company. The

utility power feed is wed to multiple generators that run on either diesel or natural gas. If utility

power is lost, the UPS maintain stable power to the racks while the generators start and provide

backup power. Fuel supply contracts must be in place from several vendors, and fuel delivery

SLAs must be in place.

Air conditioning – N+1 redundant cooling is in place with environmental monitoring, and

scheduled maintenance plans to ensure the data center climate remains in the safe zone.

Network connections, switch and firewalls - The network connectivity in a managed cloud is

designed to replicate the same redundancy as the power distribution so the network and

Internet connectivity offer no single source of failure. Each server in the cloud should have at

least two separate Network Interface Cards (NICs) that allow the server to connect to the

redundant HA network infrastructure. Each NIC in the server is connected to different network

switches, which disperse the network connectivity to all servers contained within the cloud.

Each network connection is connected to a pair of redundant firewalls, which protects traffic on

each segment of the network from intruders and security threats. Additionally, each firewall

connection is connected to separate routers and network access switches. These routers are

then connected to multiple Internet Service Providers (ISPs) to provide diverse network paths to

and from the Internet.

Cloud Computing

Server and storage devices – A high performance managed cloud relies on topnotch

technology for server hosts and SAN storage. Virtualization technologies like VMware (in its fifth

generation) dominate the market for applications that require a high degree of resiliency,

security, and scalability. The ability to scale up and down servers as needed also introduces

flexibility into the managed cloud architecture, so that clients can be responsive to the needs of

their end-users.


VMware backed by name-brand SAN and server technology create the server and storage

platforms necessary to deliver highly available cloud solutions. Regardless of which brand of

hardware is chosen, using multiple server hosts allow VMware to failover to secondary hosts in

the event of a hardware failure, keeping critical systems online in the cloud.

And finally, a SAN with multiple redundant controllers and high-speed RAID disk systems are

designed to meet the performance and availability needs of virtualization environments for

today’s demanding applications. Today’s SANs’ combine intelligence and automation with fault

tolerance to provide simplified administration, rapid deployment, enterprise performance and

reliability, and seamless scalability.

Room to Grow

When choosing a HIPAA compliant hosting company, you want to partner with a business that

can give you room to grow. On-demand resources can be deployed rapidly with a managed

cloud solution, meaning you can easily scale servers up and down as needed.

Managed Services

With a managed hosting provider, you can take advantage of their managed services to ease

the burden on your own IT staff and resources. An investment in managed hosting services

means a trained and professional IT team can perform maintenance and updates, freeing up

your IT staff to focus on developing your core business and applications. Some of the managed

services available when you outsource include:

● Patch Management - Ask your potential vendor if they provide OS patch management

as a managed service. Why is patch management important? If your servers aren’t

updated and managed properly, your PHI and applications are vulnerable to hackers

and all types of malicious attacks against your systems. Your hosting provider should

provide notification of outstanding updates, path installation assistance and offer

different levels of patch management for optimal security.

● 24/7 Emergency Response - In the event of unauthorized access or a disaster/failure,

your hosting provider should have a responsive, trained support team ready to report

and remediate the issue. The faster a data breach is reported, the more time your

company will have to respond to the Office of Civil Rights (OCR) and compile the list of

documents they require.

● Proactive Server Monitoring - With a remote server monitoring service, you should be

able to check the status of your servers even if you’re not located at the data centers.

Your hosting provider should have a monitoring service that allows you to check your

current disk space or bandwidth usage, and your application, web and database

performance, all through a single-pane-of-glass portal.

If you were to choose to keep your hosting in-house, it is likely you may not have the resources

or budget to accommodate all of the features listed above, including the investment in capital

and hardware. Keeping operations in-house may require training or hiring of new staff to


manage server hardware, storage, virtual servers or data center infrastructure as you work to

implement and achieve HIPAA compliance with different technologies. One example is building

an offsite disaster recovery solution - some cloud hosting providers could provide a disaster

recovery solution at a significantly lower cost compared to the cost of building it internally.


6.0. Conclusion

With the right business associate that can prove compliance and fit the needs of your company,

you can safely outsource HIPAA hosting to a fully managed and audited data center operator.

Partnering with a provider that can implement the proper administrative, technical and physical

security means you can also take advantage of their managed service offerings to save on

internal resources better spent on your core business.

However, realizing the benefits of outsourcing requires doing your due diligence as a covered

entity in the vendor selection process to keep the integrity, confidentiality and availability of ePHI

consistent with federal standards. Extending the “chain of trust” to a third-party means you are

only as compliant as your weakest link - further emphasizing the need to carefully select your

vendors.

Here’s a quick review of what to look for in a HIPAA hosting provider:

● Review a copy of their HIPAA Report on Compliance (HROC) outlining the scope of their

independent HIPAA audit - this is essential to ensuring their data centers and solutions

are operating within compliance.

● Ask your HIPAA hosting provider what type of specific technologies should be

implemented, and a copy of their detailed operating policies and procedures.

● Check the dates of your vendor’s last employee training sessions, and the percent of

total employee completion. As a business associate, your hosting provider should have

an appointed Risk Management and Security Officer that oversees training and ongoing

compliance.

● Review their business associate agreement (BAA) that should outline the responsibilities

of both the business associate and covered entity, and their roles in protecting PHI from

contract start to termination. Check for a clause specifically related to their breach

notification timeline.

● Other considerations include an ideal data center location free from natural disasters

and designed for high availability and disaster recovery options, and contract clauses

relevant to data ownership, data center ownership and data destruction.

Meet with your potential vendor and verify all of the above are in place and that they are

regularly maintained and monitored. Outsourcing, when done right, can save a covered entity

significant money and time and provide a high level of compliance and service quality while

avoiding the potential risk of a HIPAA violation.


7.0. References

7.1. Questions to Ask Your HIPAA Hosting Provider

1. Do you sign a BAA (business associate agreement) with documented and communicated

policies?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

2. What timeframe does your BAA promise clients for PHI breach notification?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

3. Who performed your independent HIPAA audit and do you provide copies of the audit report?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

4. What policies and technologies are used to protect my applications and PHI data?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

5. If disaster strikes, how long will it take before PHI is available again?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

6. Do you have documented policies and procedures?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

7. Are your employees trained to handle PHI and comply with HIPAA policies?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________


7.2. Example BAA

Source: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

SAMPLE BUSINESS ASSOCIATE CONTRACT PROVISIONS 1

(Published in FR 67 No.157 pg.53182, 53264 (August 14, 2002))

Statement of Intent

The Department provides these sample business associate contract provisions in response to

numerous requests for guidance. This is only sample language. These provisions are designed

to help covered entities more easily comply with the business associate contract requirements

of the Privacy Rule. However, use of these sample provisions is not required for compliance

with the Privacy Rule. The language may be amended to more accurately reflect business

arrangements between the covered entity and the business associate.

These or similar provisions may be incorporated into an agreement for the provision of services

between the entities or they may be incorporated into a separate business associate

agreement. These provisions only address concepts and requirements set forth in the Privacy

Rule and alone are not sufficient to result in a binding contract under State law. They do not

include many formalities and substantive provisions that are required or typically included in a

valid contract. Reliance on this sample is not sufficient for compliance with State law and does

not replace consultation with a lawyer or negotiations between the parties to the contract.

Furthermore, a covered entity may want to include other provisions that are related to the

Privacy Rule but that are not required by the Privacy Rule. For example, a covered entity may

want to add provisions in a business associate contract in order for the covered entity to be able

to rely on the business associate to help the covered entity meet its obligations under the

Privacy Rule.

In addition, there may be permissible uses or disclosures by a business associate that are not

specifically addressed in these sample provisions, for example having a business associate

create a limited data set. These and other types of issues will need to be worked out between

the parties.

Sample Business Associate Contract Provisions 2

Definitions (alternative approaches)

Catch-all definition:

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as

those terms in the Privacy Rule.

Examples of specific definitions:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html





















http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html#1

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html#2


1. Business Associate. "Business Associate" shall mean [Insert Name of Business

Associate].

2. Covered Entity. "Covered Entity" shall mean [Insert Name of Covered Entity].

3. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR §

160.103 and shall include a person who qualifies as a personal representative in

accordance with 45 CFR § 164.502(g).

4. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually

Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

5. Protected Health Information. "Protected Health Information" shall have the same

meaning as the term "protected health information" in 45 CFR § 160.103, limited to the

information created or received by Business Associate from or on behalf of Covered

Entity.

6. Required By Law. "Required By Law" shall have the same meaning as the term

"required by law" in 45 CFR § 164.103.

7. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human

Services or his designee.

Obligations and Activities of Business Associate

1. Business Associate agrees to not use or disclose Protected Health Information other

than as permitted or required by the Agreement or as Required By Law.

2. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of

the Protected Health Information other than as provided for by this Agreement.

3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that

is known to Business Associate of a use or disclosure of Protected Health Information by

Business Associate in violation of the requirements of this Agreement. [This provision

may be included if it is appropriate for the Covered Entity to pass on its duty to mitigate

damages to a Business Associate.]

4. Business Associate agrees to report to Covered Entity any use or disclosure of the

Protected Health Information not provided for by this Agreement of which it becomes

aware.

5. Business Associate agrees to ensure that any agent, including a subcontractor, to whom

it provides Protected Health Information received from, or created or received by

Business Associate on behalf of Covered Entity agrees to the same restrictions and

conditions that apply through this Agreement to Business Associate with respect to such

information.

6. Business Associate agrees to provide access, at the request of Covered Entity, and in

the time and manner [Insert negotiated terms], to Protected Health Information in a

Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an

Individual in order to meet the requirements under 45 CFR § 164.524. [Not necessary if

business associate does not have protected health information in a designated record

set.]

7. Business Associate agrees to make any amendment(s) to Protected Health Information

in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45

CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and


manner [Insert negotiated terms]. [Not necessary if business associate does not have

protected health information in a designated record set.]

8. Business Associate agrees to make internal practices, books, and records, including

policies and procedures and Protected Health Information, relating to the use and

disclosure of Protected Health Information received from, or created or received by

Business Associate on behalf of, Covered Entity available [to the Covered Entity, or] to

the Secretary, in a time and manner [Insert negotiated terms] or designated by the

Secretary, for purposes of the Secretary determining Covered Entity's compliance with

the Privacy Rule.

9. Business Associate agrees to document such disclosures of Protected Health

Information and information related to such disclosures as would be required for

Covered Entity to respond to a request by an Individual for an accounting of disclosures

of Protected Health Information in accordance with 45 CFR § 164.528.

10. Business Associate agrees to provide to Covered Entity or an Individual, in time and

manner [Insert negotiated terms], information collected in accordance with Section

[Insert Section Number in Contract Where Provision (i) Appears] of this Agreement, to

permit Covered Entity to respond to a request by an Individual for an accounting of

disclosures of Protected Health Information in accordance with 45 CFR § 164.528.

Permitted Uses and Disclosures by Business Associate

General Use and Disclosure Provisions [(a) and (b) are alternative approaches]

1. Specify purposes:

2. Except as otherwise limited in this Agreement, Business Associate may use or disclose

Protected Health Information on behalf of, or to provide services to, Covered Entity for

the following purposes, if such use or disclosure of Protected Health Information would

not violate the Privacy Rule if done by Covered Entity or the minimum necessary

policies and procedures of the Covered Entity:

3. [List Purposes].

4. Refer to underlying services agreement:

5. Except as otherwise limited in this Agreement, Business Associate may use or disclose

Protected Health Information to perform functions, activities, or services for, or on behalf

of, Covered Entity as specified in [Insert Name of Services Agreement], provided that

such use or disclosure would not violate the Privacy Rule if done by Covered Entity or

the minimum necessary policies and procedures of the Covered Entity.

Specific Use and Disclosure Provisions [only necessary if parties wish to allow Business

Associate to engage in such activities]

1. Except as otherwise limited in this Agreement, Business Associate may use Protected

Health Information for the proper management and administration of the Business

Associate or to carry out the legal responsibilities of the Business Associate.

2. Except as otherwise limited in this Agreement, Business Associate may disclose

Protected Health Information for the proper management and administration of the

Business Associate, provided that disclosures are Required By Law, or Business

Associate obtains reasonable assurances from the person to whom the information is


disclosed that it will remain confidential and used or further disclosed only as Required

By Law or for the purpose for which it was disclosed to the person, and the person

notifies the Business Associate of any instances of which it is aware in which the

confidentiality of the information has been breached.

3. Except as otherwise limited in this Agreement, Business Associate may use Protected

Health Information to provide Data Aggregation services to Covered Entity as permitted

by 45 CFR § 164.504(e)(2)(i)(B).

4. Business Associate may use Protected Health Information to report violations of law to

appropriate Federal and State authorities, consistent with § 164.502(j)(1).

Obligations of Covered Entity

Provisions for Covered Entity to Inform Business Associate of Privacy Practices and

Restrictions [provisions dependent on business arrangement]

1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy

practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that

such limitation may affect Business Associate's use or disclosure of Protected Health

Information.

2. Covered Entity shall notify Business Associate of any changes in, or revocation of,

permission by Individual to use or disclose Protected Health Information, to the extent

that such changes may affect Business Associate's use or disclosure of Protected

Health Information.

3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure

of Protected Health Information that Covered Entity has agreed to in accordance with 45

CFR § 164.522, to the extent that such restriction may affect Business Associate's use

or disclosure of Protected Health Information.

Permissible Requests by Covered Entity

Covered Entity shall not request Business Associate to use or disclose Protected Health

Information in any manner that would not be permissible under the Privacy Rule if done by

Covered Entity. [Include an exception if the Business Associate will use or disclose protected

health information for, and the contract includes provisions for, data aggregation or

management and administrative activities of Business Associate].

Term and Termination

1. Term. The Term of this Agreement shall be effective as of [Insert Effective Date], and

shall terminate when all of the Protected Health Information provided by Covered Entity

to Business Associate, or created or received by Business Associate on behalf of

Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return

or destroy Protected Health Information, protections are extended to such information, in

accordance with the termination provisions in this Section. [Term may differ.]

2. Termination for Cause. Upon Covered Entity's knowledge of a material breach by

Business Associate, Covered Entity shall either:

a. Provide an opportunity for Business Associate to cure the breach or end the

violation and terminate this Agreement [and the _________ Agreement/ sections


____ of the ______________ Agreement] if Business Associate does not cure

the breach or end the violation within the time specified by Covered Entity;

b. Immediately terminate this Agreement [and the _________ Agreement/ sections

____ of the ______________ Agreement] if Business Associate has breached a

material term of this Agreement and cure is not possible; or

c. If neither termination nor cure are feasible, Covered Entity shall report the

violation to the Secretary.

d. [Bracketed language in this provision may be necessary if there is an underlying

services agreement. Also, opportunity to cure is permitted, but not required by

the Privacy Rule.]

3. Effect of Termination.

a. Except as provided in paragraph (2) of this section, upon termination of this

Agreement, for any reason, Business Associate shall return or destroy all

Protected Health Information received from Covered Entity, or created or

received by Business Associate on behalf of Covered Entity. This provision shall

apply to Protected Health Information that is in the possession of subcontractors

or agents of Business Associate. Business Associate shall retain no copies of the

Protected Health Information.

b. In the event that Business Associate determines that returning or destroying the

Protected Health Information is infeasible, Business Associate shall provide to

Covered Entity notification of the conditions that make return or destruction

infeasible. Upon [Insert negotiated terms] that return or destruction of Protected

Health Information is infeasible, Business Associate shall extend the protections

of this Agreement to such Protected Health Information and limit further uses and

disclosures of such Protected Health Information to those purposes that make

the return or destruction infeasible, for so long as Business Associate maintains

such Protected Health Information.

Miscellaneous

1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule

means the section as in effect or as amended.

2. Amendment. The Parties agree to take such action as is necessary to amend this

Agreement from time to time as is necessary for Covered Entity to comply with the

requirements of the Privacy Rule and the Health Insurance Portability and Accountability

Act of 1996, Pub. L. No. 104-191.

3. Survival. The respective rights and obligations of Business Associate under Section

[Insert Section Number Related to "Effect of Termination"] of this Agreement shall

survive the termination of this Agreement.

4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered

Entity to comply with the Privacy Rule.

1 This website version of Sample Business Associate Contract Provisions was revised June

12, 2006 to amend the regulatory cites to the following terms: "individual"; "protected health

information"; and "required by law."


2 Words or phrases contained in brackets are intended as either optional language or as

instructions to the users of these sample provisions and are not intended to be included in the

contractual provisions.


7.3. Data Center Standards Cheat Sheet

SAS 70

The Statement on Auditing Standard No. 70 was the original audit to measure a data center’s

financial reporting and recordkeeping controls. Developed by the AICPA (American Institute of

CPAs, there two types:

● Type 1 – Reports on a company's description of their operational controls

● Type 2 – Reports on an auditor's opinion on how effective these controls are over a

specified period of time (six months)

SSAE 16

The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June

2011. A SSAE 16 audit measures the controls relevant to financial reporting.

● Type 1 – A data center’s description and assertion of controls, as reported by the

company.

● Type 2 – Auditors test the accuracy of the controls and the implementation and

effectiveness of controls over a specified period of time.

SOC 1

The first of three new Service Organization Controls reports developed by the AICPA, this report

measures the controls of a data center as relevant to financial reporting. It is essentially the

same as a SSAE 16 audit.

SOC 2

This report and audit is completely different from the previous. SOC 2 measures controls

specifically related to IT and data center service providers. The five controls are security,

availability, processing integrity (ensuring system accuracy, completion and authorization),

confidentiality and privacy. There are two types:

● Type 1 – A data center’s system and suitability of its design of controls, as reported

by the company.

● Type 2 – Includes everything in Type 1, with the addition of verification of an

auditor's opinion on the operating effectiveness of the controls.

SOC 3

This report includes the auditor’s opinion of SOC 2 components with an additional seal of

approval to be used on websites and other documents. The report is less detailed and technical

than a SOC 2 report.

HIPAA

Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and

Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient

health data (medical records). When it comes to data centers, a hosting provider needs to meet

http://www.onlinetech.com/secure-hosting/sarbanes-oxley-sox-compliant-hosting/sas-70-hosting

http://www.onlinetech.com/secure-hosting/sarbanes-oxley-sox-compliant-hosting/sas-70-hosting

http://www.onlinetech.com/secure-hosting/sarbanes-oxley-sox-compliant-hosting/ssae-16-hosting

http://www.onlinetech.com/secure-hosting/sarbanes-oxley-sox-compliant-hosting/ssae-16-hosting

http://www.onlinetech.com/secure-hosting/sarbanes-oxley-sox-compliant-hosting/soc-1-hosting


http://www.onlinetech.com/secure-hosting/sarbanes-oxley-sox-compliant-hosting/soc-2-a-soc-3-hosting

http://www.onlinetech.com/secure-hosting/sarbanes-oxley-sox-compliant-hosting/soc-2-a-soc-3-hosting



http://www.onlinetech.com/secure-hosting/hipaa-compliant-hosting


HIPAA compliance in order to ensure sensitive patient information is protected. A HIPAA audit

conducted by an independent CHP (Certified HIPAA Practitioner) and CHSS (Certified HIPAA

Security Specialist) can provide a documented report to prove a data center operator has the

proper policies and procedures in place to provide HIPAA hosting solutions.

No other audit or report can provide evidence of full HIPAA compliance.




Documents

Hipaa Compliant Data Centers