Last week, we published Part One where we talked about IT and the seemingly infinite compliance laws – specifically HIPAA – in such industries like financial, education, healthcare, retail, and government. This week, we’ll dive a bit deeper into HIPAA and the required and addressable safeguards that go along with it.
The HIPAA security rule encompasses the standards that must be applied to protect Electronic Protected Health Information (ePHI) when at rest and when in transit. This includes anyone or any system that has access to confidential data, the ability to read, write, modify or communicate ePHI, or any data that might reveal the identity of a person under care.
What follows are the specific safeguards, both required and addressable – all to be measured and explained during a routine audit.
The following components of the technical safeguards are addressed and exceeded by implementation of Nerdio. With access control using unique user IDs, automatic logoff, encryption and decryption tools, and full activity audit controls – all aspects of the technical safeguard can be quickly, and more importantly, properly addressed through the platform.
Per the title, these components deal with the facility and access to the location where the ePHI data is stored. Nerdio relies on hardened SOC 2 Type II audited facilities, which, we’ve unobtrusively sprinkled in several distinct geographic regions and built them out to be fully redundant. This includes servers and storage devices to routers and firewalls, all to maximize data protection.
Because of this, the policies and controls needed to be compliant are reduced to the workstation use policies, mobile device policies, and hardware inventory – all which are great targets for add-on consulting services and the continued sales discussion.
HIPAA administrative safeguards combine the privacy and security related rules in the direction of the conduct of the workforce, continued operations during an emergency, and the policies and procedures that apply to third party access (contractors, temporary help, etc.).
Nerdio can be the foundation of the contingency plan for business continuity. It’ll provide both a method and an auditable solution with built-in testing and logging reports to satisfy the most difficult components contained in the administrative safeguards.
Restricted third party access, which is a required component, is easily tamed under the same access controls used in the technical safeguards – with full control over the time and specific data these third parties have access to. All of the user activity is logged and available for audit. The remaining elements, again, are fertile ground for add-on services to provide risk assessments, contingency planning, reporting, and training.
MSPs can confidently and aggressively attack heavily regulated sectors, fully meeting the complexity of IT compliance. Nerdio covers the data, access, and backup requirements of the data – allowing the MSP to add additional services around some of the physical on-site requirements for devices, workstations, and the workplace. The solution can also be bound with consulting services, addressing polices and documentation to create a world class, fully compliant solution. You’ll be the HIPAA hero.