HIPAA Compliant Data Centers

View the full white paper below.

1.0. Executive Summary
2.0. Impact of HITECH and HIPAA on Data Centers
3.0. What is a HIPAA Compliant Data Center?
3.1. Administrative Safeguards
3.2. Physical Safeguards
3.3. Technical Safeguards
3.4. Organizational Requirements
  3.4.1. Business Associate Agreements
3.5. HIPAA Compliant Data Center Architecture
  3.5.1. Requirements
  3.5.2. Enhanced Security
4.0. Outsource vs. In-House Hosting
4.1. Benefits of Outsourcing Hosting
4.2. Risks of Outsourcing
5.0. Vendor Selection Criteria
5.1. HIPAA Compliant Business Associates
5.2. Other Key Data Center Considerations
6.0. Conclusion
7.0. References
7.1. Questions to Ask Your HIPAA Hosting Provider
7.2. Example BAA
7.3. Data Center Standards Cheat Sheet

1.0. Executive Summary

The increasing pressure to implement meaningful use, reduce healthcare costs, and improve care outcomes while still protecting patient interests has led to strategic review and overhaul by many healthcare providers and vendors. Evaluating outsourcing options to allow industry experts to manage parts of the healthcare IT components is an obvious part of the equation, and the intensive capital expense, human resource, security, and maintenance demands specific to data centers make these prime candidates for cost savings.

However, balancing the resource benefits of outsourcing data center and hosting services with the risks of engaging an off-premise business associate is daunting in the wake of increasing PHI (protected health information) breaches and penalties. Ultimately, finding the best blend of resources that can fulfill the availability, integrity, and confidentiality requirements to protect ePHI (electronic protected health information) - and thereby protecting the patients, covered entities, and business associates - is the challenge at hand.

This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of aHIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

2.0. Impact of HITECH and HIPAA on Data Centers

Protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) is the essence of the HIPAA Security Rule^[1]. Since data centers typically store, transmit, or process ePHI, they must comply with the HITECH standards and citations to meet HIPAA compliance. The same risk analysis, administrative safeguards, physical safeguards, technical safeguards, and ongoing due diligence apply just as much in the data center as in a provider's facility.

While there is some debate about the responsibilities of business associates for the protection of ePHI, all indications point towards business associates being held as responsible as covered entities. Consider the latest notice of proposed rulemaking that speaks to the extension of responsibilities from covered entities to business associates:

As with the Privacy Rule, the Security Rule requires covered entities to have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they receive, create, maintain, or transmit on behalf of the covered entities.^[2]

Moreover, both covered entities and business associates should bear in mind that prosecution by the Office of Civil Rights (OCR) under HITECH is not the only legal concern. The last year has witnessed an increase in state and consumer lawsuits against both covered entities and business associates. In January 2012, Minnesota Attorney General filed a lawsuit against Accretive Health, for failing to protect the confidentiality of over 23,000 patient healthcare records.^[3]

The safest and most diligent practice to protect ePHI is to ensure that the same policies, risk management, safeguards, and ongoing compliance governance standards are followed no matter where ePHI resides. This means that data centers, whether in-house or outsourced, need to fully embrace complete responsibility for ePHI. In the areas of administrative safeguards, such as ongoing HIPAA awareness and training for all employees, healthcare providers tend to be stronger. In the areas of technical safeguards and PHI availability, professional data center companies that invest extensively in redundant facility infrastructure and security may be the safer bet.

Ideally, either a healthcare provider would have infinite resources to build and maintain multiple, high-availability data centers or a data center hosting business associate would have a thorough understanding of HIPAA compliance including a HIPAA security risk analysis and management, policies, training of all employees, and ongoing HIPAA compliance audits. While both ideals exist, they are in the minority. In these cases, the weighing of the pros and cons falls back to the risk analysis and management to choose the best option that will maintain ePHI confidentiality, integrity, and availability.

3.0. What is a HIPAA Compliant Data Center?

Data centers need to adhere to the administrative, physical, and technical safeguards and standards set forth by the HITECH act to be HIPAA compliant. Following is a brief review of the administrative, physical, and technical safeguards with specific notes applicable to data centers.

3.1. Administrative Safeguards

The Security Management Process described under 164.308(a)(1) includes requirements for HIPAA Risk Analysis and Risk Management, which "form the foundation upon which an entity's necessary security activities are built." (68 Fed. Reg. 8346.)"^[4]

Start by reviewing the data center's HIPAA Report on Compliance, sometimes referred to as an HROC. Providers who maintain their own data centers are likely to have this included in their risk analysis and management plan already. This can serve as a useful point of comparison across the various HIPAA standards, citations, and implementation specifications when outsourcing to a third-party data center business associates.

Data center providers who have invested in an independent HIPAA risk assessment should provide a copy of their HIPAA compliance report upon request, at least under NDA. When a data center business associate can provide a HIPAA compliance report, it will save covered entities (CEs) significant costs of evaluating HIPAA compliance, which should happen in advance of entering into a partnership. If a CE elects to outsource data center hosting services to a business associate that does not have, or does not provide, an independent HIPAA report on compliance available, the CEs will have to bear the burden of evaluating compliance and proving due diligence.

Not all HIPAA reports on compliance are made the same. Check that your business associates have been audited against the latest OCR (Office for Civil Rights) HIPAA Audit Protocol for assurance that they are operating at federal-level standards for data center security.

Other Administrative Safeguards that should be in place in all data centers that store, transmit, or process ePHI include:

Assigned Security Responsibility 164.308(a)(2)
Workforce Security 164.308(a)(3)
Information Access Management 164.308(a)(4)
Security Awareness and Training 164.308(a)(5)
Security Incident Procedures 164.308(a)(6)
Contingency Plan 164.308(a)(7)
Evaluation 164.308(a)(8)
Business Associate Contracts and Other Arrangements 164.308(b)(1)

3.2. Physical Safeguards^[5]

STANDARDS	SECTIONS	IMPLEMENTATION SPECIFICATIONS
Facility Access Controls	§ 164.310(a)(1)	Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records
Workstation Use	§ 164.310(b)
Workstation Security	§ 164.310(c)
Device and Media Controls	§ 164.310(d)(1)	Disposal Media Re-use Accountability Data Backup and Storage

Nothing beats an on-site visit to ascertain the level of security. Think of it this way: this data center might hold the data of hundreds, or thousands, of your patients. You want to feel the same sense of solid trust and ease from your visit - the same way you want your patients to feel towards their own care providers. As an extension of a covered entity, the business associate should foster a sense of expertise, careful procedure, and a willingness to communicate openly about questions and policies. Imagine the first night of sleep after moving your PHI to this place - will you sleep soundly, or lie awake in dread?

Things to check for include the following:

Two-factor authentication - If not personally escorted, anyone in the data center should be wearing a badge to identify them and need at least two forms of identification for access such as badge and access code, or biometric fingerprint scanner and badge. If you go for a data center visit and are not asked to sign-in and wear a badge, security should be considered less than adequate.
Prolific use of video surveillance - Ask to see the video logs and how long they are kept (should be at least 90 days).
Visitor logging - The entries in the logbook should directly match the video surveillance tapes. Ask when the last independent auditor confirmed the match of visitor logs with the video archives. Ask who the auditor was and investigate the auditor's company to confirm their credibility.
Procedure Documentation - Ask to review the documentation for the procedure to allow access by unannounced visit, phone call, or email. Don't just ask the security or compliance officer - ask anyone. If there is a consistent policy and procedure in place, you should get a consistent and reassuring answer.

3.3. Technical Safeguards^[6]

STANDARDS	SECTIONS	IMPLEMENTATION SPECIFICATIONS
Access Control	§ 164.312(a)(1)	Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption
Audit Controls	§ 164.312(b)
Integrity	§ 164.312(c)(1)	Mechanism to Authenticate Electronic Protected Health Information
Person or Entity Authentication	§ 164.312(d)
Transmission Security	§ 164.312(e)(1)	Integrity Controls Encryption

The HIPAA Security Rule does not require specific technology solutions, but it does outline the standards and implementation specifications. The Rule's intent is to allow covered entities the flexibility to determine which security measures are a good fit for their company, depending on size and different needs.

The HHS provides guidance around the implementation specifications below:

Unique User Identification - Assign a unique user ID to each employee that can allow your company to track user activity while the user is logged into an information system.
Emergency Access Procedure - Establish a written procedure outlining the protocol to access ePHI in the event of an emergency, including policies around who needs access and possible ways to gain access.
Automatic Logoff - Automatic logoff should be implemented on every workstation with access to ePHI after a certain period of inactivity.
Encryption and Decryption - This is not required, but instead recommended as a safeguard to be implemented only if deemed reasonable and appropriate for the covered entity. Determine which ePHI or software programs are appropriate for encryption.
Audit Controls - This refers to implementing a system that logs and monitors activity on information systems with ePHI.
Authentication - Intended to protect the integrity of ePHI, the existing systems should have functions or a process to check for data integrity, such as digital signatures. When it comes to person or entity authentication, proof of identity should include a password or pin, smart card, token, key and/or biometrics (fingerprints, facial patterns or voice patterns).
Transmission Security - For integrity controls, the primary method to protect ePHI is through the use of network communications protocols, although other methods include data or message authentication codes. Encryption is another option to consider after reviewing your company's methods of transmission, frequency of transmission, and potential issues found in your risk analysis.

3.4. Organizational Requirements^[7]

STANDARDS	SECTIONS	IMPLEMENTATION SPECIFICATIONS
Business associate contracts or other arrangements	§ 164.314(a)(1)	Business Associate Contracts Other Arrangements
Requirements for Group Health Plans	§ 164.314(b)(1)	Implementation Specifications Policies and Procedures Documentation (Time Limit, Availability and Updates)

The Organizational Requirements found in the HIPAA Security Rule concern contracts and agreements with business associates (BAs) and the policies, procedures and documentation guidelines for group health plans.

Business Associate Contracts (or Agreements, BAA) - This ensures business associates will implement the HIPAA safeguards to protect ePHI they receive or maintain on behalf of the covered entity. It also ensures that any subcontractors they work with will also follow the safeguards. The agreement requires BAs to report all security incidents and allow contract termination if any violations occur (read more about BAAs below).
Other Arrangements - This is allowed only if the both the business associate and covered entity are government entities, and they enter into a memorandum of understanding (MOU) that addresses all of the objectives of a BAA.
Group Health Plans - The implementation specifications are the same as those required for BAAs (above). Required policies, procedures and documentation must be retained for a period of at least six years, be available via print or Intranet, and reviewed and updated based on environmental or operational changes that affect ePHI security.

3.4.1. Business Associate Agreements

Not only does an effective business associate agreement need to be in place between covered entities and their business associates; the contractors and vendors of the business associate must also share and sign business associate agreements if there is any potential of access to PHI data.^[8]

The business associate agreement (BAA) is the ideal place to clarify the roles and responsibilities between the covered entity and the business associate. In addition. For example, the OCR requires the following documentation in the event of a PHI breach:

Documentation

Documentation of the covered entity's admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations.
Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft.
Documentation of the covered entity's corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable:
- - Sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity's current policies and procedures, and as required by the Privacy Rule.
  - Re-training of appropriate workforce members.
  - Mitigation of the harm alleged, as required by the Privacy Rule.

HIPAA Policies and Procedures

A copy of HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically ePHI.
A copy of the policies and procedures implemented to safeguard the CE's facility and equipment.

Physical Safeguards

Evidence of physical safeguards implemented for computing devices to restrict PHI access.
Business Associate Agreements and/or policies and procedures implemented to ensure Business Associates have implemented the appropriate safeguards (if applicable).

Risk Assessment

A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.
Evidence of security awareness training for involved workforce members including training on workstation security.
Evidence of the implementation of a mechanism to encrypt ePHI stored on the workstations.

Breach Notification

A copy of the written notification of the breach provided to the affected individuals.
A copy of the written notification given to the media. This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification.

Much of the required documentation requires months of planning and implementation. If you sign a BAA today, and have a PHI breach tomorrow, are you confident that your data center can provide the necessary information to respond in a thorough and timely manner to the OCR?

3.5. HIPAA Compliant Data Center Architecture

The diagram below shows elements of a HIPAA compliant hosting architecture.

To create this, we worked with Certified HIPAA Security Specialists and Certified HIPAA Professionals who matched each HITECH standard, specification, and implementation with a common technology application to meet Security Rule compliance.

Each element is described below.

hipaa-compliant-data-center-architecture

3.5.1. Requirements

Antivirus

The Security Awareness and Training Standard of the HIPAA Security Rule (Section 164.308(a)(5))^[9] specifically calls out the need for "Protection from Malicious Software." We all use antivirus on our laptops, so using this on a server operates under the same premise: safety and security for critical infrastructure. This is one of the most important elements of security you can buy for the money for a managed server.

OS Patch Management

Routine OS patch management is required in today's IT climate. And yes, there are many older servers, older applications, and just plain old implementations out there that IT administrators are scared to touch. These are, for example, the MS-SQL 2000 implementations that are connected to disparate systems, ERP systems, and other legacy applications that IT managers feel might break if patched. These are often unpatched due to lack of funding for application redesign, and sheer terror on the part of some IT managers to implement change for the security and good of the company.

With all the security bulletins, holes, bugs, zero-day exploits, viruses, and other security vulnerabilities announced daily for operating systems, applications, and databases, a solid process is needed to design a patch process that safeguards all systems. This includes choosing one or more patch process tools, processes, and procedures, and then setting up a unified test, staging, and production environment to test the patches.

Backup and Disaster Recovery

The HIPAA Contingency Plan standard described in section 164.308(a)(7)^[10] requires a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis. Part of proving due diligence is holding CEs and BAs responsible for ensuring PHI is not destroyed or lost in the event of a disaster. Offsite data backups are imperative and offsite disaster recovery is strongly recommended.

Patient care is not a 9-5 job; a primary driver behind electronic health records is the portability and availability of patients' records to health care providers around-the-clock. Availability means that PHI is always available, accessible and never lost. When a patient arrives in the emergency room at two o'clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient's records at his fingertips.

Protecting healthcare data, and ensuring its availability means putting procedures in place to mitigate disasters, and having a solid plan in-hand to activate when a disaster occurs. The infrastructure to do this is defined by two perspectives:

Disaster Prevention - Putting all the tools in place to minimize the probability of an outage in the data center infrastructure, server hardware, software and network connectivity.
Disaster Recovery - Assuring that the applications and data can be recovered and restored in a reasonable timeframe to continue running the business and making patient data available if a disaster occurs in the primary data center.

High Availability, Redundant Firewalls

Firewalls can help meet both administrative safeguard requirements to protect PHI from malicious software (164.308(a) (5)) and the technical safeguard requirements to tightly control access to PHI (164.312(a)(1)). The data center should be protected by redundant, or high availability, firewalls so that if one fails due to a hardware, software, or power issue, a second firewall can still stand between PHI and a malicious attack. Intrusion detection and intrusion prevention capabilities should also supplement firewall protection, and are often a feature of many modern firewall and universal threat management appliances.

Plan or evaluate with the knowledge that it's not a matter of "if" a firewall fails, it's "when" a firewall fails. Look for every single point of failure in the data center and plan high-availability redundancies anywhere they exist. For example, the firewalls should be plugged into separate power strips that are connected to separate power feeds in the data center. If the redundant firewalls are plugged into a single power strip that blows a breaker fuse, all redundancy is lost.

High Availability, Redundant Routers

Routers are responsible for passing data to and from the data center from the Internet. In order to ensure that PHI is always available, the data center should use redundant routers to ensure that data traffic can still continue when one router experiences a hardware, software or power failure. Routers should be powered by separate power strips connected to separate power feeds for true redundancy.

High Availability, Redundant Internet Service Providers

If the data center relies on a single Internet Service Provider (ISP), PHI availability will be at risk. Ask if the data center that will be protecting your PHI has separate ISPs that connect via different sides of the data center. Ask if the redundant service providers connect all the way to the data center directly through the same or disparate last-mile connections - different last-mile fiber connections will provide enhanced redundancy.

HIPAA Trained Staff and Documented Policies

The most secure technologies are rendered useless without a culture of processes that ensures that secure policies and procedures are documented and consistently followed. Review of independent audit reports (measured against the OCR HIPAA Audit Protocol) should reflect a foundation of secure policies that guide day-to-day operations.

HIPAA compliance also requires that all staff receive HIPAA security training and ongoing security updates. Ask potential vendors if all members of their staff have received HIPAA security training, where HIPAA compliance documents and policies are kept (every employee should know), and the date of the last training and security update. A company with a culture of security and compliance will have answers readily at hand.

3.5.2. Enhanced Security

The following section describes additional enhanced security measures a CE can put in place to further hedge against the risk of a PHI breach. While these enhanced protections come at an additional cost to the IT budget, the cost of cleaning-up the aftermath of a breach are far greater to the business.

Two-Factor Authentication

One of the weakest links in protecting PHI is the use of simple passwords. While it may seem like common sense that passwords based on a spouse's name, anniversary, or simple patterns like "abc123" or "123456" are not sufficient to protect PHI, ensure there is a policy of using complex passwords of at least 8 characters that combines lower case letters, upper case letters, numbers, and special symbols. A policy of changing passwords regularly (every 90 days) is a good start.

To protect against weak or stolen passwords, implement two-factor authentication. This requires multiple forms of identification for a login such as a code and a username/password combination. Biometric login systems may require a fingerprint along with a code or keycard. For the cloud and web-based applications, two-factor authentication systems require a username, password, and a code that is sent to a mobile device by phone call or text message. Ask your cloud provider if they provide two-factor authentication services for VPN's and web-based logins or contract with a service such as Duo^[11] to improve PHI protection.

SSL Certificate (Web Apps)

To secure PHI data in a web-based application, an SSL (Secure Socket Layer) certificate is a must. The SSL certificate is used by software that encrypts all data moving between two or more end-points (i.e. from a browser, to a server containing the application or website). Since many healthcare applications are now hosted in the cloud and accessed by browsers (Internet Explorer, Chrome, Firefox), the SSL certificate is essential to proper security.

File Integrity Monitoring (FIM)

File integrity monitoring refers to ensuring the integrity of the files on a server. The basic technique is the comparison of the current file to the known, safe baseline. While file changes are expected and within the normal realm of daily interaction and activity, there are a few key changes that may trigger additional investigation such as a change of ownership, security settings, or configuration values.

When the enhanced security of FIM makes sense, a separate server is often set up to perform this function using one of many third party software applications to monitor and evaluate file changes and alert administrators of any suspicious activity.

Web Application Firewall (WAF)

A web application firewall is specifically built to monitor website traffic for the transmission of sensitive data and potentially block any network traffic that does not fit within the allowable configuration. For PHI applications that involve a website where security is paramount, use of a WAF may make sense. It is a powerful tool in the security toolbox for consideration, and can prevent leakage of PHI data by unauthorized users.

Encryption

Encryption for data at rest and in transit is very strongly recommended. When transmitting PHI, encrypted data should be sent over an encrypted connection for ultimate security. When using encryption for PHI, one should follow the NIST (National Institute of Standards and Technology) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices standards for encryption.^[12]

Data at rest constitutes data stored on servers or backup systems (tape or disk) while not in use. This data needs to be encrypted in case of disk theft or unauthorized access. Many data breaches are due to lost or stolen unencrypted portable devices (laptops or smartphones) - PHI should not be stored on portable devices, but instead in HIPAA compliant data centers that serve the data to mobile devices. That way, thousands of patient records aren't stored on any of your computing devices, but instead in a secure location that can be accessed through a mobile device. This greatly improves your PHI security - if you lose the device, you won't lose all of the sensitive data as well.

Additionally, the HIPAA breach notification rule only requires reporting of unencrypted data breaches in cases where 500 individuals are affected. If your data is encrypted and you experience loss or theft of data, you are not required to notify the HHS, the media or any affected individuals.^[13]

4.0. Outsource vs. In-House Hosting

4.1. Benefits of Outsourcing Hosting

Save on Costs

Why would a covered entity with sensitive data outsource their hosting solution to a third-party? A HIPAA compliant hosting provider that has already passed an independent HIPAA audit (measured against the OCR HIPAA Audit Protocol) can save time and money by eliminating the need to audit your vendor in addition to your own business. While it does not release you of the obligation and responsibility of meeting compliance, it helps you more readily achieve compliance and mitigate risk.

Additionally, managed hosting allows your IT team to focus on the applications directly related to your business, not on the day-to-day details involved with server updates, data center infrastructure, network management and security which can more readily be outsourced to a trusted provider.

Security

A HIPAA compliant hosting provider can provide the latest tested and audited technology to help achieve compliance and secure your ePHI. With a variety of required and recommended security methods, you can trust experienced, certified professionals to maintain, monitor and accurately generate logs of activity on your servers.

Outsourcing allows you to benefit from the various levels of security that a quality hosting provider should have in place. These advantages include physical security, environmental controls, logged access and video surveillance, and multiple alarm systems to detect unauthorized access.

Network security includes protection of sensitive infrastructure, including managed servers, cloud, power and network infrastructure built with redundant routers, switches and paired universal threat management devices to protect sensitive information.

While the HITECH Act requires private accessibility on request by your patients, your outsourced hosting provider should never access PHI, but instead build, maintain and monitor the secure infrastructure that your sensitive information is stored and transmitted in.

Availability

The use of high-availability (HA) solutions in a fully redundant and compliant data center can allow clients to increase their uptime and PHI availability. Using an HA infrastructure can reduce the risk of business downtime due to a single point of failure. Outsourcing to a HIPAA hosting provider means your business can take advantage of your data center operator's design of power connections, UPS (Uninterruptible Power Supplies) systems, generators, air conditioning and networks.

Flexibility

Outsourcing allows you to benefit from the latest virtualization technologies, such as fifth-generation VMware that dominates the market for applications that require a high degree of scalability. Choosing a high-performance managed cloud allows for the ability to scale servers up and down as needed to respond to the demands of end-users with fast deployment time.

4.2. Risks of Outsourcing

However, the risks of outsourcing HIPAA compliant hosting to a service provider can mean extending your circle of trust to include a third-party vendor. These service providers, known as business associates (BAs), open your company up to the potential risk of a PHI breach. According to HHS.gov, 62 percent of the total number of patient records breached involved a business associate, increasing the need to thoroughly vet anyone that touches your PHI.

The stakes for both covered entities and business associates is getting higher, with HHS now extending responsibility to protect PHI to all business associates throughout the "chain of trust." States are also exercising their rights to prosecute business associates under other provisions besides the HITECH Act.

HIPAA Breach Fines and Penalties

A covered entity's lack of due diligence can result in costly fines and penalties. The fines and penalties for aHIPAA violation (a data breach, whether lost or stolen) range from $100 per violation with a maximum fee of $25,000 for repeat violations to $50,000 per violation with a maximum fee of $1.5 million.^[14]

The fine amount varies by different classification levels dependent on violation criteria, with minimum and maximum penalties for first-time/repeat violations and annual fees:

HIPAA Violation Types and Penalties^[15]

VIOLATION TYPE	MIN. PENALTY	MAX. PENALTY
Individual didn't know they violated HIPAA	$100/violation; annual max of $25,000/repeat violations	$50,000/violation; annual max of $1.5 million
Reasonable cause and not willful neglect	$1,000/violation; annual max of $100,000/repeat violations	$50,000/violation; annual max of $1.5 million
Willful neglect but corrected with time	$10,000/violation; annual max of $250,000/repeat violations	$50,000/violation; annual max of $1.5 million
Willful neglect and is not corrected	$50,000/violation; annual max of $1.5 million	$50,000/violation; annual max of $1.5 million

Another category of a HIPAA violation is determined by covered entities and individuals that knowingly breached the HIPAA regulations - for these, criminal penalties apply.

The maximum offense is a HIPAA breach committed with intent to sell, transfer or use individually identifiable health information for personal/financial gain or malicious harm, resulting in fines of $250,000 and imprisonment for up to ten years.

Ultimately, covered entities are held responsible when it comes to monetary and reputational consequences, although responsibility will extend to include business associate in recent proposed revisions to the HIPAA rules.

5.0. Vendor Selection Criteria

5.1. HIPAA Compliant Business Associates

When a covered entity decides to outsource HIPAA compliant hosting to a business associate, they need to look for certain indicators of compliance to ensure due diligence in vetting their service provider. Due diligence can help a covered entity prevent a potential data breach resulting in costly fines and reputational and business damage.

HIPAA Report on Compliance (HROC)

As the number of reported data breaches and the cost of these data breaches to the healthcare industry rise, it becomes imperative for a covered entity to select business associates that have invested in an independent audit and can provide a copy of their audit report to ensure they are following compliant policies and procedures.

Ask your HIPAA hosting provider if they can provide a copy of their independent audit report (also known as a HIPAA Report on Compliance, HROC), stating they are compliant against the OCR (Office for Civil Rights) HIPAA Audit Protocol. The comprehensive audit protocol covers the HIPAA Privacy Rule, Security Rule and Breach Notification Rule. Established after initial federal audits from 2011-2012, the OCR HIPAA Audit Protocol sets the bar for the highest standards of security for healthcare companies.

HIPAA Certification vs. Compliance

Beware of data center operators that claim to be "HIPAA certified." There is no governing body or federally recognized HIPAA certification, for covered entities or business associates alike. The correct term and usage is "HIPAA compliant," meaning their policies, procedures, technology and staff implement security controls that are aligned with the HIPAA rules.

While, in some cases, certification may mean they have taken an unofficial exam and passed with knowledge of HIPAA-related material, it does not mean their facilities, staff or solutions are actually compliant with the HIPAA standards. It also does not mean using their services will make your company compliant.

Other Data Center Audits

While an HROC is specific to healthcare and the protection of PHI, other data center audits can give you additional guidance and insight into a vendor's ongoing compliance and level of operating standards, as well as the quality of service you can expect to receive.

SAS 70^[16] - The Statement on Auditing Standard No. 70 was originally used to measure a service provider's controls related to financial reporting and recordkeeping. Two types are recognized by the AICPA (American Institute of CPAs) - Type 1 reports on a company's description of their operational controls, while Type 2 includes an auditor's opinion on how effective these controls are over a specified period of time. In both cases, keep in mind that the audited company gets to specify the controls that they will be audited against. Some specify only a handful of weak controls. Others specify dozens of strong controls. Make sure you read the details of the controls.
SSAE 16 - The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting. Type 1 reports on a data center's description and assertion of controls, as reported by the company. Type 2 provides a description of an auditor's test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time. No two SSAE 16 audit reports are the same as there is no standard of controls. Make sure you read the details of the controls.
SOC 1^[17] - One of the three new Service Organization Controls (SOC) reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It measures the same controls as an SSAE 16 audit.
SOC 2^[18] - This report is a very detailed account of the technical aspects as they relate to controls specifically concerning IT and data center server operators. The five controls include security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types: Type 1 reports on a data center's system and suitability of its design of controls, as reported by the company. Type 2 includes everything in Type 1, with the addition of verification of an auditor's opinion on the operating effectiveness of the controls. This is the first AICPA audit to begin standardizing controls so there is less variety between reports. However, since every audit, auditor, and company are different, it is wise to read the details of the report - don't take it for granted.
SOC 3^[19]- This report includes the auditor's opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.
PCI DSS^[20] - The Payment Card Industry Data Security Standards was created and implemented by major credit card issuers and it applies to companies that collect, store, process and transmit cardholder data. Data center operators that host cardholder data need to have undergone a PCI audit to achieve an attestation of compliance report (the latest version is 2.0), and they should have a full understanding of what technical components can help your company meet the PCI requirements.

As with any type of audit, covered entities must review each individual compliance reports to determine the full scope and depth of their applicability. Each SSAE 16 or HIPAA audit is unique to each hosting provider.

Business Associate Agreement

The lack of a business associate agreement (BAA) implies negligence and may fall under the HIPAA violation category of Willful Neglect. Check to make sure your business associate has a thorough BAA with documented policies that discuss how they handle PHI, from breach notification to contract termination and data ownership.

Part of your due diligence as a covered entity is to understand your hosting provider's documented policies and procedures when it comes to securing your data and handling a data breach. Check for their timeline to notify covered entities in their breach notification policy - they are required by law to do so in a timely manner, and subsequently, covered entities must notify affected individuals within 10 days.^[21]

Another key clause of a BAA should have terms and effective dates, with language around how PHI will be handled after termination, including the return and destruction of data. Data ownership, access and rights should also be discussed in the agreement.

PHI Breach Insurance Protection

Even if your business associate and your company have policies and procedures in place to prevent a data breach, unexpected data loss can still occur. Covered entities may want to ask for a copy of the business associate's PHI breach insurance policy. This is important to cover the cost of notification, investigation, litigation and any levied penalties. If the business associate has been put out of business or severely compromised by the substantial costs of a breach, all of the burden will fall upon the covered entity.

Insurance policies exist that will mitigate the costs of PHI breach notification, litigation and penalties. It's a basic protection every business associate should invest in.

HIPAA Policy Training

Your HIPAA hosting provider should have documented internal processes and policies that are considered best practice. Within their organization, they should have an appointed Risk Management Officer that oversees that the custom policies and procedures are being followed and are in compliance with the HIPAA regulations.

The Risk Management Officer also conducts employee training to educate and implement the HIPAA policies and procedures that affect the day-to-day operations of their organization. Employee training is important when it comes to any business associate, as many data breaches (and HIPAA violations) are a result of human error, or an employee mishandling sensitive data, and not hacker-related. Ask your hosting provider for the most recent date of their HIPAA policy training and percent of employees that have completed training during the vendor selection process.

5.2. Other Key Data Center Considerations

Ownership

As stated earlier, data ownership is especially important to review in your hosting contract and BAA. Some providers reserve the right to access, allow access, and claim ownership of your sensitive information while it is hosted on their servers or in their environment. This is an issue that can occur especially in the cloud, as some cloud vendors may claim legal ownership of the data once in their possession.

Another consideration is ownership and operation of the data center(s). Some hosting providers will provide a service that is run in data centers owned and operated by different companies - this further extends the "chain of trust" to include potentially unknown third-parties. If you have no way of knowing who has access to or controls the environment that houses your servers, let alone their level of compliance, you are putting your PHI and business at risk.

Geographical Location

Hosting facility location is another important consideration, as data centers located in certain regions are more susceptible to natural disasters, risking the complete destruction of your data. Choosing a data center located in a neutral, low-risk region such as the Midwest is one step closer to complete data safety.

Another factor is climate - a region that allows a data center operator to take advantage of natural cooling for most of the year also allows you, as the client, to take advantage of their operating cost-savings. It also reduces the risk of overheating and potential hardware failure that could affect your data availability.

Knowing where your data lives is key consideration - if your data leaves the country, do you still have control of it? Data centers operating outside of the country do not have to comply with HIPAA regulations, as HIPAA is created and enforced by the United States Department of Health and Human Services. Once your data travels overseas, it is possible you will be put at risk of a data breach or HIPAA violation, since international vendors are not required to observe our federal security regulations.

Disaster Recovery

The HIPAA Security Rule was created to protect not only the confidentiality of ePHI, but also the integrity and availability of patient records. According to the HHS, "integrity" means that ePHI is not altered or destroyed in an unauthorized manner.^[22]

Preserving the integrity of information means putting formal data backup and recovery plans in place to ensure data can be accurately and quickly accessed in the event of a disaster or failure. Location is important when it comes to offsite backup and disaster recovery - a copy of your PHI in a separate location can preserve the integrity of your information.

The Security Rule also requires on-demand access to patient records, which, in turn, requires high availability hosting and infrastructure. Choosing a data center operator with a well-designed geographical separation between their data centers helps availability, as well as having multiple power grids to further boost utility resiliency should one power provider experience a prolonged outage.

Data Destruction

The HHS's guide on specifying technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals recommends that paper, film, or other hard copy media must be destroyed or shredded in a manner that would render PHI illegible. Electronic media must be wiped or destroyed consistent with NIST standards outlined in the NIST Special Publication 800-88, Guidelines for Media Sanitization, rendering PHI irretrievable.^[23]

Ensuring the confidentiality of your sensitive data means knowing where your data goes after you terminate your contract with your HIPAA hosting vendor. It also means knowing whether or not there are any copies of the data leftover after you leave the vendor. If any archived, unencrypted PHI is found on backup tapes or servers, you are putting yourself at risk of a HIPAA violation. Check your HIPAA hosting provider's BAA for specific provisions on how they will handle PHI after contract termination.

High Availability

A high availability (HA) hosting infrastructure is imperative to ensuring data is always accessible. HA solutions increase uptime and availability and lower risks. It's not a matter of "if" something fails, it's planning for "when" failures happen - and they will. In your evaluation of any data center - yours or a third-party - you should endeavor to identify all of the single points of failure. It's worth an outside opinion if reviewing your own data center (nothing beats an independent pair of eyes) and when visiting a potential data center Business Associate - ask the hard questions whenever you suspect complete redundancy is not in place.

With HA protection in place, providers can hedge against the loss of electrical power, network connectivity disruptions, router failures, firewall attacks, cooling problems, and have peace of mind knowing PHI is protected, available, and safe.

A managed HIPAA hosting solution takes into account several design factors to ensure no single points of failure exist. This is true for the data center infrastructure layer components, as well as the individual servers and components in the rack.

The major design points for a successful HIPAA hosting implementation include building in redundancies in critical equipment and infrastructure, including:

Power connections - Dual independent power feeds are run from disparate circuit breakers, to two separate power supplies in the server. Each power supply on a server is plugged into separate power strips in the rack. Power strips with digital amp load readouts aid in monitoring power levels and help avoid tripping a circuit breaker, which would shut down the entire power strip.
UPS systems - Uninterruptable Power Supplies (UPS) clean and distribute power and provide backup power through a bank of batteries in the event of a power outage. The clean power from the UPS is stable; therefore, any fluctuation in power, both power surge and brown-out, is regulated by the UPS.
Generators - Each UPS is fed with one or more power feeds from the utility company. The utility power feed is wed to multiple generators that run on either diesel or natural gas. If utility power is lost, the UPS maintain stable power to the racks while the generators start and provide backup power. Fuel supply contracts must be in place from several vendors, and fuel delivery SLAs must be in place.
Air conditioning - N+1 redundant cooling is in place with environmental monitoring, and scheduled maintenance plans to ensure the data center climate remains in the safe zone.
Network connections, switch and firewalls - The network connectivity in a managed cloud is designed to replicate the same redundancy as the power distribution so the network and Internet connectivity offer no single source of failure. Each server in the cloud should have at least two separate Network Interface Cards (NICs) that allow the server to connect to the redundant HA network infrastructure. Each NIC in the server is connected to different network switches, which disperse the network connectivity to all servers contained within the cloud. Each network connection is connected to a pair of redundant firewalls, which protects traffic on each segment of the network from intruders and security threats. Additionally, each firewall connection is connected to separate routers and network access switches. These routers are then connected to multiple Internet Service Providers (ISPs) to provide diverse network paths to and from the Internet.

Cloud Computing

Server and storage devices

A high performance managed cloud relies on top-notch technology for server hosts and SAN storage. Virtualization technologies like VMware (in its fifth generation) dominate the market for applications that require a high degree of resiliency, security, and scalability. The ability to scale up and down servers as needed also introduces flexibility into the managed cloud architecture, so that clients can be responsive to the needs of their end-users.

VMware backed by name-brand SAN and server technology create the server and storage platforms necessary to deliver highly available cloud solutions. Regardless of which brand of hardware is chosen, using multiple server hosts allow VMware to failover to secondary hosts in the event of a hardware failure, keeping critical systems online in the cloud.

And finally, a SAN with multiple redundant controllers and high-speed RAID disk systems are designed to meet the performance and availability needs of virtualization environments for today's demanding applications. Today's SANs' combine intelligence and automation with fault tolerance to provide simplified administration, rapid deployment, enterprise performance and reliability, and seamless scalability.

Room to Grow

When choosing a HIPAA compliant hosting company, you want to partner with a business that can give you room to grow. On-demand resources can be deployed rapidly with a managed cloud solution, meaning you can easily scale servers up and down as needed.

Managed Services

With a managed hosting provider, you can take advantage of their managed services to ease the burden on your own IT staff and resources. An investment in managed hosting services means a trained and professional IT team can perform maintenance and updates, freeing up your IT staff to focus on developing your core business and applications. Some of the managed services available when you outsource include:

Patch Management - Ask your potential vendor if they provide OS patch management as a managed service. Why is patch management important? If your servers aren't updated and managed properly, your PHI and applications are vulnerable to hackers and all types of malicious attacks against your systems. Your hosting provider should provide notification of outstanding updates, path installation assistance and offer different levels of patch management for optimal security.
24/7 Emergency Response - In the event of unauthorized access or a disaster/failure, your hosting provider should have a responsive, trained support team ready to report and remediate the issue. The faster a data breach is reported, the more time your company will have to respond to the Office of Civil Rights (OCR) and compile the list of documents they require.
Proactive Server Monitoring - With a remote server monitoring service, you should be able to check the status of your servers even if you're not located at the data centers. Your hosting provider should have a monitoring service that allows you to check your current disk space or bandwidth usage, and your application, web and database performance, all through a single-pane-of-glass portal.

If you were to choose to keep your hosting in-house, it is likely you may not have the resources or budget to accommodate all of the features listed above, including the investment in capital and hardware. Keeping operations in-house may require training or hiring of new staff to manage server hardware, storage, virtual servers or data center infrastructure as you work to implement and achieve HIPAA compliance with different technologies. One example is building an offsite disaster recovery solution - some cloud hosting providers could provide a disaster recovery solution at a significantly lower cost compared to the cost of building it internally.

6.0. Conclusion

With the right business associate that can prove compliance and fit the needs of your company, you can safely outsource HIPAA hosting to a fully managed and audited data center operator.

Partnering with a provider that can implement the proper administrative, technical and physical security means you can also take advantage of their managed service offerings to save on internal resources better spent on your core business.

However, realizing the benefits of outsourcing requires doing your due diligence as a covered entity in the vendor selection process to keep the integrity, confidentiality and availability of ePHI consistent with federal standards. Extending the "chain of trust" to a third-party means you are only as compliant as your weakest link - further emphasizing the need to carefully select your vendors.

Here's a quick review of what to look for in a HIPAA hosting provider:

Review a copy of their HIPAA Report on Compliance (HROC) outlining the scope of their independent HIPAA audit - this is essential to ensuring their data centers and solutions are operating within compliance.
Ask your HIPAA hosting provider what type of specific technologies should be implemented, and a copy of their detailed operating policies and procedures.
Check the dates of your vendor's last employee training sessions, and the percent of total employee completion. As a business associate, your hosting provider should have an appointed Risk Management and Security Officer that oversees training and ongoing compliance.
Review their business associate agreement (BAA) that should outline the responsibilities of both the business associate and covered entity, and their roles in protecting PHI from contract start to termination. Check for a clause specifically related to their breach notification timeline.
Other considerations include an ideal data center location free from natural disasters and designed for high availability and disaster recovery options, and contract clauses relevant to data ownership, data center ownership and data destruction.

Meet with your potential vendor and verify all of the above are in place and that they are regularly maintained and monitored. Outsourcing, when done right, can save a covered entity significant money and time and provide a high level of compliance and service quality while avoiding the potential risk of a HIPAA violation.

7.0. References

7.1. Questions to Ask Your HIPAA Hosting Provider

Do you sign a BAA (business associate agreement) with documented and communicated policies?
What timeframe does your BAA promise clients for PHI breach notification?
Were you audited against the OCR HIPAA Audit Protocol and do you provide copies of the audit report?
What policies and technologies are used to protect my applications and PHI data?
If disaster strikes, how long will it take before PHI is available again?
Do you have documented policies and procedures?
Are your employees trained to handle PHI and comply with HIPAA policies?

7.2. Example BAA

Source: http ://www .hhs .gov /ocr /privacy /hipaa /understanding /coveredentities /contractprov . html

SAMPLE BUSINESS ASSOCIATE CONTRACT PROVISIONS 1

(Published in FR 67 No.157 pg.53182, 53264 (August 14, 2002))

Statement of Intent

The Department provides these sample business associate contract provisions in response to numerous requests for guidance. This is only sample language. These provisions are designed to help covered entities more easily comply with the business associate contract requirements of the Privacy Rule. However, use of these sample provisions is not required for compliance with the Privacy Rule. The language may be amended to more accurately reflect business arrangements between the covered entity and the business associate.

These or similar provisions may be incorporated into an agreement for the provision of services between the entities or they may be incorporated into a separate business associate agreement. These provisions only address concepts and requirements set forth in the Privacy Rule and alone are not sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that are required or typically included in a valid contract. Reliance on this sample is not sufficient for compliance with State law and does not replace consultation with a lawyer or negotiations between the parties to the contract.

Furthermore, a covered entity may want to include other provisions that are related to the Privacy Rule but that are not required by the Privacy Rule. For example, a covered entity may want to add provisions in a business associate contract in order for the covered entity to be able to rely on the business associate to help the covered entity meet its obligations under the Privacy Rule.

In addition, there may be permissible uses or disclosures by a business associate that are not specifically addressed in these sample provisions, for example having a business associate create a limited data set. These and other types of issues will need to be worked out between the parties.

Sample Business Associate Contract Provisions 2

Definitions (alternative approaches)

Catch-all definition:

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule.

Examples of specific definitions:

1. Business Associate. "Business Associate" shall mean [Insert Name of Business Associate].

2. Covered Entity. "Covered Entity" shall mean [Insert Name of Covered Entity].

3. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).

4. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

5. Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

6. Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.103.

7. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee.

Obligations and Activities of Business Associate

1. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law.

2. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.

3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. [This provision may be included if it is appropriate for the Covered Entity to pass on its duty to mitigate damages to a Business Associate.]

4. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware.

5. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

6. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner [Insert negotiated terms], to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. [Not necessary if business associate does not have protected health information in a designated record set.]

7. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and manner [Insert negotiated terms]. [Not necessary if business associate does not have protected health information in a designated record set.]

8. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available [to the Covered Entity, or] to the Secretary, in a time and manner [Insert negotiated terms] or designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.

9. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.

10. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner [Insert negotiated terms], information collected in accordance with Section [Insert Section Number in Contract Where Provision (i) Appears] of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.

Permitted Uses and Disclosures by Business Associate

General Use and Disclosure Provisions [(a) and (b) are alternative approaches]

1. Specify purposes:

2. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information on behalf of, or to provide services to, Covered Entity for the following purposes, if such use or disclosure of Protected Health Information would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity:

3. [List Purposes].

4. Refer to underlying services agreement:

5. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in [Insert Name of Services Agreement], provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.

Specific Use and Disclosure Provisions [only necessary if parties wish to allow Business Associate to engage in such activities]

1. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

2. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).

4. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).

Obligations of Covered Entity

Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions [provisions dependent on business arrangement]

1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.

2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.

3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.

Permissible Requests by Covered Entity

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. [Include an exception if the Business Associate will use or disclose protected health information for, and the contract includes provisions for, data aggregation or management and administrative activities of Business Associate].

Term and Termination

1. Term. The Term of this Agreement shall be effective as of [Insert Effective Date], and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. [Term may differ.]

2. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either:

a. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement [and the _________ Agreement/ sections ____ of the ______________ Agreement] if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;

b. Immediately terminate this Agreement [and the _________ Agreement/ sections ____ of the ______________ Agreement] if Business Associate has breached a material term of this Agreement and cure is not possible; or

c. If neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary.

d. [Bracketed language in this provision may be necessary if there is an underlying services agreement. Also, opportunity to cure is permitted, but not required by the Privacy Rule.]

3. Effect of Termination.

a. Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.

b. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon [Insert negotiated terms] that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

Miscellaneous

1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended.

2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.

3. Survival. The respective rights and obligations of Business Associate under Section [Insert Section Number Related to "Effect of Termination"] of this Agreement shall survive the termination of this Agreement.

4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule.

1 This website version of Sample Business Associate Contract Provisions was revised June 12, 2006 to amend the regulatory cites to the following terms: "individual"; "protected health information"; and "required by law."

2 Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions and are not intended to be included in the contractual provisions.

7.3. Data Center Standards Cheat Sheet

SAS 70

The Statement on Auditing Standard No. 70 was the original audit to measure a data center's financial reporting and recordkeeping controls. Developed by the AICPA (American Institute of CPAs, there two types:

Type 1 - Reports on a company's description of their operational controls
Type 2 - Reports on an auditor's opinion on how effective these controls are over a specified period of time (six months)

SSAE 16

The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting.

Type 1 - A data center's description and assertion of controls, as reported by the company.
Type 2 - Auditors test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time.

SOC 1

The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It is essentially the same as a SSAE 16 audit.

SOC 2

This report and audit is completely different from the previous. SOC 2 measures controls specifically related to IT and data center service providers. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types:

Type 1 - A data center's system and suitability of its design of controls, as reported by the company.
Type 2 - Includes everything in Type 1, with the addition of verification of an auditor's opinion on the operating effectiveness of the controls.

SOC 3

This report includes the auditor's opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.

HIPAA

Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records). When it comes to data centers, a hosting provider needs to meet HIPAA compliance in order to ensure sensitive patient information is protected. A HIPAA audit conducted by an independent auditor against the latest OCR HIPAA Audit Protocol can provide a documented report to prove a data center operator has the proper policies and procedures in place to provide HIPAA hosting solutions.

No other audit or report can provide evidence of full HIPAA compliance.