IT-as-a-Service and HIPAA Compliancy – Part Two

Last week, we published Part One where we talked about IT and the seemingly infinite compliance laws – specifically HIPAA – in such industries like financial, education, healthcare, retail, and government.  This week, we’ll dive a bit deeper into HIPAA and the required and addressable safeguards that go along with it.

HIPAA Security Rule

The HIPAA security rule encompasses the standards that must be applied to protect Electronic Protected Health Information (ePHI) when at rest and when in transit.  This includes anyone or any system that has access to confidential data, the ability to read, write, modify or communicate ePHI, or any data that might reveal the identity of a person under care.

What follows are the specific safeguards, both required and addressable – all to be measured and explained during a routine audit.

HIPAA Employee Benefits

Technical Safeguards

The following components of the technical safeguards are addressed and exceeded by implementation of Nerdio. With access control using unique user IDs, automatic logoff, encryption and decryption tools, and full activity audit controls – all aspects of the technical safeguard can be quickly, and more importantly, properly addressed through the platform.

  • Implement a means of access control (required)
  • Introduce a mechanism to authenticate ePHI (addressable)
  • Implement tools for encryption and decryption (addressable)
  • Introduce activity audit controls (required)
  • Facilitate automatic logoff (addressable)

Physical Safeguards

Per the title, these components deal with the facility and access to the location where the ePHI data is stored.  Nerdio relies on hardened SOC 2 Type II audited facilities, which, we’ve unobtrusively sprinkled in several distinct geographic regions and built them out to be fully redundant. This includes servers and storage devices to routers and firewalls, all to maximize data protection.

Because of this, the policies and controls needed to be compliant are reduced to the workstation use policies, mobile device policies, and hardware inventory – all which are great targets for add-on consulting services and the continued sales discussion.

  • Facility access controls must be implemented (addressable)
  • Policies relating to workstation use (required)
  • Policies and procedures for mobile devices (required)
  • Inventory of hardware (addressable)

HIPAA records

Administrative Safeguards

HIPAA administrative safeguards combine the privacy and security related rules in the direction of the conduct of the workforce, continued operations during an emergency, and the policies and procedures that apply to third party access (contractors, temporary help, etc.).

Nerdio can be the foundation of the contingency plan for business continuity. It’ll provide both a method and an auditable solution with built-in testing and logging reports to satisfy the most difficult components contained in the administrative safeguards.

Restricted third party access, which is a required component, is easily tamed under the same access controls used in the technical safeguards – with full control over the time and specific data these third parties have access to.  All of the user activity is logged and available for audit.  The remaining elements, again, are fertile ground for add-on services to provide risk assessments, contingency planning, reporting, and training.

  • Conducting risk assessments (required)
  • Introducing a risk management policy (required)
  • Training employees to be secure (addressable)
  • Developing a contingency plan (required)
  • Testing of contingency plan (addressable)
  • Restricting third-party access (required)
  • Reporting security incidents (addressable)

Summary

MSPs can confidently and aggressively attack heavily regulated sectors, fully meeting the complexity of IT compliance.  Nerdio covers the data, access, and backup requirements of the data – allowing the MSP to add additional services around some of the physical on-site requirements for devices, workstations, and the workplace.  The solution can also be bound with consulting services, addressing polices and documentation to create a world class, fully compliant solution. You’ll be the HIPAA hero.

(No Comments)

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Top Related Posts

Written By

  • Vadim Vladimirskiy

    A creative technologist with a mind for business, Vadim Vladimirskiy is the head honcho at Adar. Vadim’s the brains behind the evolution of Nerdio, bringing Streaming IT to the masses – that is, small and medium sized organizations. When he’s not continually pushing the IT envelope, Vadim’s at home with his loving wife and four boisterous kids.

Subscribe
Nerdio Blog