Five Things You Probably Didn’t Know About HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA), and its revised rules – Health Information technology for Economic and Clinical Health Act (HITECH) covers any entity that has access to patient information or provide support in treatment, operations or payment in the health industry. These standards lay down security policies aimed at protecting the availability, integrity and confidentiality of personal health information. Few finer aspects of this standard that you may not be aware of are listed below:

#1. HIPAA Does not Recommend and Set Procedure

Five Things You Probably Didn't Know About HIPPA Compliance HIPAA does not specify or recommend any technology platform or design to secure the data. The onus is on the provider to use industry best practices, or face the risk of being considered as negligent. As such, a mere self-proclamation of the data centre being HIPAA compliant doesn’t actually convey anything. Clients need to dig deeper and find out how exactly the data centre is ensuring HIPAA compliance security.

#2. HIPAA Mandates Physical Controls

Apart from technical safeguards that restrict access of electronic personal health information, audit stipulations, and disaster recovery protocols, HIPPA mandates having in place physical safeguards, which encompasses restricted access to the facility, controls on removing, transferring, disposing or re-using electronic media, and more.

#3. HIPAA Mandates Training

HIPAA stipulates that all employees involved in handling personal medical information be given training in proper security practices, and be made aware of the policies, reporting needs, datat protection protocols and more.

#4. HIPAA Mandates Reporting Violations

HIPAA rules mandates that the data centers, or any service provider for that matter, to report any misuse of personal health information to the Department of Health and Human Services (HHS) in the Office of Civil Rights (OCR). It thus places an additional responsibility  on the service provider, than merely follow the laid down protocols.

#5. HIPAA Takes Business Associates Agreements Seriously

HIPAA mandates having a thorough and comprehensive Business Associates Agreement (BAA) that documents and communicates the laid down policies. Not having such a BAA may construct as willful negligence, and make the parties liable for fines ranging from $10,000 to $50,000 per incident and potential criminal charges.

Alex Carroll

Alex Carroll

Managing Member at Lifeline Data Centers
Alex, co-owner, is responsible for all real estate, construction and mission critical facilities: hardened buildings, power systems, cooling systems, fire suppression, and environmentals. Alex also manages relationships with the telecommunications providers and has an extensive background in IT infrastructure support, database administration and software design and development. Alex architected Lifeline’s proprietary GRCA system and is hands-on every day in the data center.