HIPAA: Compliance or Certification?
Did you know there’s no such thing as a “HIPAA Certification”? According to the US Department of Health and Human Services website, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The same goes for business associates: If a company tells you they are “HIPAA Certified”, it’s usually just a marketing tactic.
HIPAA compliance is solely based on a covered entity or business associate’s internal practices falling into line with HIPAA requirements. The rules state that organizations must periodically review their technical and non-technical security practices and procedures. This can be done internally, or by an external group who can provide “certification”.
However, HHS does not recognize or endorse any independent organization’s certifications. Having a certification from an outside agency does not absolve covered entities and business associates of HIPAA Security Rule requirements, and does not preclude HHS from finding violations on their own. So basically, if you get a certification from an external agency and they miss a violation at your organization, HHS could still find it and fine you for noncompliance. A certification offers no protection in this situation.
So then, how can a covered entity be sure they’re fully HIPAA compliant? Or how can they be sure the business associate they’re interested in working with meets HIPAA regulations and requirements? The only true way to know is to know the rules and make sure you and your business associates are following them.
Instead of claiming a “HIPAA Certification”, Gillware Online Backup has decided to help you understand what HIPAA compliance includes and how our backup solution meets the criteria laid out by the Security Rule for the handling of electronic protected health information (e-PHI):
- Data must be encrypted during transmission. Data at rest must either be encrypted or destroyed. Gillware’s backup solutions use a unique key generated during installation to encrypt data during transfer and storage. Data is transferred to and from Gillware’s servers using the SSL protocol, and remains securely encrypted while being stored in our data centers.
- Data must be recoverable and must be able to be fully restored with an exact copy in case of data loss. Gillware makes restoring data from a backup easy. You can restore data on your own, or our dedicated technical support team can help walk you through the process. The file-based solution includes revision history, which ensures that you have not only the most recent version of a file, but as many older versions as you want as well.
- Data must be stored offsite in case of any disaster at the original site of the organization. Both Gillware’s file-based and full image backup solutions include offsite cloud backup storage.
- Data must be backed up frequently enough so the most current e-PHI can be accessed in case of a restore. Oftentimes, users can forget to back up their data on a regular basis, or don’t want to take the time to do it. Gillware’s backup solutions are automated and run on a customizable schedule, so users don’t have to remember to back up, and they don’t need to take time out of their busy day to perform a backup.
- The same security measures taken during backup must also be observed during emergency mode. Gillware Online Backup encrypts data while it is being backed up, as well as while it is being restored for maximum security.
- There must be written procedures of backup and recovery plans documented. Using Gillware Online Backup simplifies your backup and recovery plans tremendously. Instead of needing to remember to back up to external hard drives, replicate data to tape drives, and store physical backups offsite, your backup and recovery plan is all included in Gillware’s backup solutions.
- Recoveries must be tested in order to ensure backups are working properly. Testing your backups with Gillware is also easy. Aside from various verification methods that let you know backups are working properly, you can test backups by restoring data. Our technical support team can also assist with this.
When it comes down to it, you shouldn’t leave your HIPAA compliance up to chance. Be sure that your organization is following the rules and that all of your business associates are fully compliant as well. Certifications won’t do you any good if HHS finds violations at your organization or with one of your vendors. Know the requirements and get in compliance!