In today’s world of increasingly complex IT infrastructure and escalating data center expenses, companies often choose to outsource their data center and IT infrastructure management. Selecting the right colocation vendor can greatly reduce overall IT costs and allow for cost-effective expansion as a company grows.
For health care organizations, the process of evaluating and choosing a compliant colocation vendor is extremely complex. Under the provisions of the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act, health care entities and all vendors who provide electronic services for them must adhere to strict governmental guidelines designed to safeguard the Privacy and Security of protected health information (PHI).
HIPAA Compliant Data Center Standards
Due to the sensitive nature of consumer health information, managed colocation solution providers must follow stringent data center HIPAA Security standards. Failure to conform to HIPAA guidelines can result in significant fines and penalties.
Within the data center environment, one person employed by the colocation vendor must be fully responsible for implementing appropriate security policies and procedures. In addition, the solution provider must properly specify and carefully manage all data access controls.
All data center employees must be fully trained in security best practices and adhere to administrative data access policies. Physical security such as keycards, security camera monitoring and 24/7 staffing must be implemented. Protocols must be in place to assure proper communications and response to any data security breach.
To assure continuity in the event of disaster or other extended interruption, the data should be stored on redundant, isolated web and database servers. A Disaster Recovery plan should also be developed and appropriate testing of the recovery plan should take place.
Technical Data Security Requirements under HIPAA
HIPAA compliant colocation data centers must assure that client health care data is protected. Advanced technical security should be implemented on multiple levels.
All web-based access to personal health care records must be encrypted and secured using SSL Certificates and HTTPS. Remote VPN access should only be available to those with certified credentials. Access should be further secured by virtual or dedicated firewalls and monitoring should be in place to identify and address any intrusions by hackers or malicious parties.
Protected Health Information (PHI) should be stored on dedicated servers and encrypted using Advanced Encryption Services (AES). This is critical because when health care organizations encrypt PHI they are considered to be within the “encryption safe harbor”. Under that standard an unauthorized disclosure of encrypted data is not considered a breach and therefore no breach notification is required.
Data integrity should be further protected by creating a separate web and database test server. Extensive testing should be conducted before software changes are fully implemented and data backups should be sufficient to assure that data can be restored in the event of significant system or software issues.
Choosing to outsource your IT Data Center operations to a HIPAA compliant colocation facility can provide significant cost savings and benefits to a health care organization. By carefully evaluating whether your colocation vendor meets the detailed HIPAA standards above, you can help ensure that your organization makes the right outsourcing choice.