What Is HIPAA Compliant Database Hosting?

Frequently, healthcare organizations use HIPAA compliant database hosting companies to move the organizations’ IT infrastructure, data, and applications to the cloud. Under the HIPAA Security Rule, business associates – entities that process, store, or transmit protected health information (PHI) on behalf of a covered entity – must implement administrative, technical, and physical safeguards, to ensure the confidentiality, availability, and integrity of ePHI. Database hosting companies process, store, and transmit PHI on behalf of covered entities. As such these companies can be considered business associates. This means that they must offer HIPAA compliant database hosting, in accordance with the provisions of the Security Rule.

What are the Requirements for HIPAA Compliant Database Hosting?

Under HIPAA, covered entities and business associates must implement all of the administrative, technical, and physical safeguards of the Security Rule. To host a HIPAA compliant database, the hosting company should implement the following Security Rule measures:


Do you have signed business associate agreements? If not you’re at risk! Learn more about business associate agreements here.

 

HIPAA compliant database hosting should have the following components:

  • Data Encryption.  Encryption takes your data or written text/PHI and turns it into unreadable text using software or algorithms. This unreadable text can only be deciphered through an encryption key that will allow you to read it once again. Data encryption requirements protect your data even in the event of a breach or theft, and can leave the data useless to anyone who obtains or steals it. 
  • Proper Encryption Key Management.  Proper encryption key management requires organizations to store encryption keys in a manner that minimizes the risk that the keys will be lost. Professional, certified key management solutions can provide the required management.  
  • Unique User IDs.  The Security Rule’s technical safeguard provisions require unique user IDs for all users. Unique IDs allow an organization to identify specific users of an information system. Under the Security Rule, user login credentials should not be shared. Assigning unique user IDs allows an organization to monitor specific user activity, thereby enabling the entity to hold users accountable for function performed on information systems containing electronic protected health information (ePHI). The Security Rule does not dictate a specific method of assignment of IDs. The rule simply requires an organization to “Assign a unique name and/or number for identifying and tracking user identity.” To become a HIPAA compliant database host, the hosting company must come up with a method for assigning the unique user ID in a manner that is reasonable and appropriate for the hosting company. 

The unique user ID can be:

  • The employee name or a variation of the name; or
  • An alternative, such as an assignment of a set of random numbers and characters

Each method has its strengths and weaknesses. While a randomly assigned user ID
            is more difficult for unauthorized users, such as hackers, to guess, this user ID may also
be more difficult for authorized users to remember and for management to recognize.

  • Authentication. A HIPAA compliant database must securely authenticate users who will have access to ePHI. Generally, authentication ensures that a person is in fact whom he or she claims to be, before being allowed access to ePHI. This is accomplished by providing proof of identity. There are a few basic ways to provide proof of identity for authentication. These include:  
    • Requiring something known only to that individual, such as a password or PIN; 
    • Requiring something that individuals possess, such as a smart card, a token, or a key; 
    • Requiring something unique to the individual, such as a biometric scan. Examples of biometric scans include fingerprints, voice patterns, facial patterns or iris patterns. 
  • Authorization. To be a HIPAA compliant database, a database must control access to ePHI by assigning differing — and appropriate — roles and privileges to users.
  • Audit Logs. Audit logs are records of events based on applications, user, and systems. HIPAA compliant database hosting requires all data usage (user logins, reads, writes and edits) to be logged in a separate infrastructure, and archived. 
  • Database Backups. The Security Rule requires creation, testing, and storing of database backups. The backups themselves must be fully encrypted. 
  • Automatic Updates. Automatic updates are regular software updates. Automatic updates help to ensure that software runs the latest and best technology available. 
  • Data Disposal.  HIPAA compliant database hosting requires the hosting company to have methods in place to ensure that data and media are securely disposed of when it is no longer needed. 

Business Associate Agreements (BAAs). A business associate agreement is a contract between a HIPAA covered entity and a vendor used by that covered entity. A HIPAA covered entity is typically a healthcare provider, health plan, or healthcare clearinghouse that conducts transactions electronically. To be a HIPAA compliant database hosting company (vendor), the hosting company must enter into an agreement with the covered entity that stipulates the types of protected health information that will be provided to the business associate; the allowable uses and disclosures of PHI; the measures that must be implemented to protect that information (e.g., encryption at rest and in transit), and the actions that the BA must take in the event of a security breach that exposes PHI.