What is Required for HIPAA Compliant Servers?
Data servers, by the nature of how they function, have the potential to access client data. Server providers that work with healthcare clients, or their business associates, host data that under the HIPAA regulation is considered protected health information (PHI). This makes the server providers themselves business associates, and thus, they are required to be HIPAA compliant. What is required for HIPAA compliant servers is discussed below.
HIPAA Compliant Servers: Security Features
HIPAA compliant servers have several security features that ensure the confidentiality, integrity, and availability of protected health information (PHI).
When determining whether or not a server is HIPAA compliant, the following should be considered:
◈ Does the server enable data encryption?
Encryption masks sensitive data so that it can only be read by authorized users possessing a decryption key. HIPAA requires organizations to assess whether or not encryption is reasonably appropriate for their organization (which in most cases it is). If encryption is not reasonably appropriate, the organization must use an alternate form of data protection that offers the same level of security as encryption. The form of encryption used should be end-to-end encryption (E2EE). E2EE secures both data at rest (data stored on the server) and data in motion (data sent to/from the server).
◈ Does it have a means for user authentication and tracking access to data?
◆ Unique User IDs. To properly track and manage PHI access, it is essential that all employees have unique login credentials to access data.
◆ Access Management. This requires organizations to designate different levels of access to PHI based on an employee’s job role. As such, HIPAA compliant servers must have a means to give employees access to only the data that they need to perform their job functions.
◆ Audit Logs. This ensures adherence to the minimum necessary standard. Audit logs keep track of access to PHI including who accessed it, what they accessed, and how long they accessed it for. Organizations are required to keep an audit log to determine regular PHI access patterns for each employee (enabled through unique user IDs). Determining regular access patterns is key to quickly detect breaches (both internal and external breaches).
◈ Can server data be backed up?
Backing up data meets the availability of PHI requirement set forth by HIPAA. To ensure that data can be accessed in the event of a natural disaster, emergency, or data theft incident, HIPAA compliant servers must enable data back up. Backed up data must also be encrypted if it contains PHI.
◈ Are automatic updates enabled?
Automatic updates ensure that server vulnerabilities are addressed quickly. This is important for HIPAA compliant servers as risk to PHI is reduced. Servers that don’t enable automatic updates can leave PHI vulnerable to unauthorized access.
◈ Is there a means for data disposal?
PHI that is no longer needed must be properly disposed of. PHI disposal methods must be in line with NIST standards to ensure that the data is adequately destroyed.
HIPAA Compliant Servers: Business Associate Agreements
Even if a server provider has all of the necessary security features, it cannot be considered HIPAA compliant if they are unwilling or unable to sign a business associate agreement (BAA). A BAA is a legal document that dictates the protections that the server provider is required to have in place securing PHI. A BAA also requires each singing party to be responsible for maintaining their compliance.