One of the main goals of the Health Insurance Portability and Accountability Act is to protect the privacy and integrity of patient health information, particularly when it is handled in electronic formats. Business entities that deal with protected health information in the United States are expected to comply with certain HIPAA guidelines, and this goes beyond dental and medical clinics; companies that operate as vendors to the healthcare industry and even developers of software that collects and stores patient data are also bound by HIPAA compliance rules.
HIPAA compliance starts at the server level and continues through the electronic communications and data sharing processes. Whether the server is physically located in a clinic or in a cloud computing data center, here are the most important HIPAA compliance aspects:
- Comprehensive data encryption: Protected health information must be encrypted at all times, including when it is archived or shared with third-party companies. The server encryption keys must be properly stored and managed.
- Login credentials and authentication: The username and password combinations given to employees, partners, and third parties who will have access to patient information cannot be shared. Moreover, all users who need to access the server where protected health information is stored must be properly authenticated with a security certificate.
- Technical support: Technicians who look after HIPAA servers must be properly trained with regard to compliance and audit requirements. Furthermore, the software platforms installed on the server must be properly updated with all security patches and fixes.
- Encrypted backups: Patient information must be securely backed up in a safe location, and the data must be properly encrypted. When it comes to data deletion procedures, protected health information needs to be completely wiped in accordance with the procedures set by the National Institute of Standards and Technology.
- Server logs for audit purposes: All server logs must be stored in a separate location and kept for at least six years. These logs should be made available to the Office for Civil Rights of the U.S. Health and Human Services Department upon demand.