“Is your data center HIPAA compliant?”
We hear that question all the time from the owners of small businesses in the healthcare field—from one-doctor medical practices to health insurance brokerages—as they shop around for a host for their medical records systems, email, data storage, and other IT functions.
It’s a broad question. The short answer is yes. Our data center is HIPAA compliant. But you’re not really asking the right question.
It’s easy enough for us—or any other IT provider—to claim we’re HIPAA compliant, but what does being HIPAA compliant really say about a data center?
Don’t just take our word for it, or the word of any of the IT providers you’re evaluating, when we say we’re HIPAA compliant. Here are some of the right questions to ask to ensure your outsourced IT provider can keep your patients’ and customers’ sensitive health information completely secure according to the regulations of HIPAA:
Physical Requirements
- Do you use secure, reliable facilities in another area for data backup?
- Do you have clear policies and authentication requirements in place so that only authorized personnel can access the servers, switches, modems, firewalls, and all the other components required to keep an IT system connected and running smoothly?
- Is your physical IT equipment secure throughout its lifetime, including retirement and recycling?
- Does your system have redundant power supplies and Internet circuits?
Technical Requirements
- Do you follow good information access management practices? These should include access controls like user identification, automatic logoff, passwords that weren’t set at the factory, and data encryption.
- Do you have data backup and disaster recovery procedure in place? This should include procedures for recording and responding to security incidents, as well as contingency planning.
- Do you segregate each of your clients (as well as your own business) from a technical standpoint? In other words, is it possible for one of your clients to access the data of another (the answer here should be no)?
Service Requirements
- How much support is actually covered in the service level agreement (SLA)?
A note on that last point, because this is a common problem small businesses run into with their IT partners:
A service level agreement (SLA) is the document where your IT provider spells out the services it will provide during the course of your partnership. Unfortunately, most SLAs will only require the IT provider to be responsible for supporting their own software. That means that if there are technical issues with the other hardware or software you use and you ask your IT provider for help, you will often get an answer that amounts to, “It’s not our problem.”
A good partner will go above and beyond and try to help you with any IT issues. After all, they are your outsourced IT department. HIPAA requires that you recover data no matter what goes wrong—whoever provides the software or hardware. A poor SLA might not guarantee this.
Go In-Depth on Data Centers and HIPAA
The above questions are just to get you started. If you really want to become an expert on HIPAA so that you can make the best decisions about IT for your small healthcare business, download our free guide, “HIPAA Compliance in the Cloud.” You’ll learn even more about what it takes to achieve HIPAA compliance and the pros and cons of the options available to you.
Main blog image credit: Ben Jones, Flickr