HIPAA and HITECH Compliance Solutions
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, and the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 both mandate that all covered entities and business associates fulfill certain requirements for data backup, data storage, and data recovery. These requirements are listed in the Security section of the Administrative Simplification Act and Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Dynamic Vault is a highly secure online data backup and data recovery system that can help you fulfill the HIPAA and HITECH requirements for secure data storage, data recovery, and disaster recovery planning while realizing significant operational cost savings.
Dynamic Vault’s full suite of services can help any size practice, hospital, or healthcare system comply with specific HIPAA and HITECH data security requirements starting with the first backup.
For more information on how Dynamic Vault can help your organization with a comprehensive HIPAA Back up Solution contact us today.
How Dynamic Vault facilitates HIPAA organizational compliance
Contingency Plan
- 164.308(a)(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
- 164.308(a)(7)(ii) Implementation specifications: (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
- Dynamic Vault provides a secure and comprehensive solution for the backup, retention, and recovery of your protected health information data. With Continuous Data Protection, Complex Retention Policies, and Bare Metal restoration capabilities, Dynamic Vault’s clients can easily restore data from anywhere in the event of a disaster.
Access Controls
- 164.312(a)(1)Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).
- Dynamic Vault’s application, data access is controlled by centralized managed policies, only authorized individuals with decryption keys have access to encrypted data. All resources, both client side and web portal can only be accessed by an authorized user and password. The web portal and application are both protected by SSL during communication. 256 bit AES, TwoFish and Triple DES Data encryption including a Data Encryption key that is definable by your company’s backup administrator. SSL provides protection from the possibility of theft of credentials helping to provide a secure and accurate audit trail.
Audit Controls
- 164.312(b)
Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
- Dynamic Vault’s reporting capabilities give the end user an historical overview of their Backup Jobs. The reporting features include: Successful backups, Error reporting, Quota Reminders, Failed login attempts, Changed or Modified Backup sets, Restore Job Summaries and Account Usage Reports
Data Integrity
- 164.312(c)(2)
Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic
mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
- Data is first compressed on the client side and then encrypted in 256 Bit AES, TwoFish or Triple DES. Data remains encrypted during transmission and while archived in the Data Center. Data is verified by the server application via have CRC (Cyclic Redundancy Check) data integrity checking before storing the backup data. CRC data checking also runs as a maintenance feature of the server application on all data. The backup data is only unencrypted by the Dynamic Vault Offsite Backup server application at the user site when the data is restored by the authenticated user with their encryption key, only then is the data decrypted safely and securely at the site where the user is. 256 bit AES, TwoFish, Triple DES Data encryption and 128 bit SSL provide protection from the possibility of theft of credentials.
Authentication
- 164.312(d)
Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
- Dynamic Vault’s users are authenticated by a username and password with an ecryption key, only authorized individuals who have access and the encryption key have access to the data. The backup data is only unencrypted by the Dynamic Vault Offsite Backup server application at the user site when it has retrieved by the authenticated user with their encryption key, only then is the data decrypted safely and securely at the site where the user is. 256 bit AES, TwoFish, Triple DES Data encryption and 128 bit SSL provide protection from the possibility of theft of credentials.
HIPAA Privacy Rule
- Safeguards:§164.530 (c)(1)
- Administrative §164.308
- Technical §164.312
- Physical §164.310
- Access to PHI §164.524
- Amendment to PHI §164.526
- Encryption of PHI §164.312
HIPAA Security Standards Matrix
- Assigned Security Officer §164.308(a)(2)
- Access Authorization §164.308(a)(4)
- Security Incident Reporting §164.308(a)(6)
- Contingency Plan: Data Back-up §164.308(a)(7)
- Contingency Plan: Disaster Recovery §164.308(a)(7)
- Business Associate Agreement §164.308(b)(1), 106.103
- Facility Access Controls §164.310(a)(1)
- Device & Media Controls §164.308(d)(1)
- Access Control §164.312(a)(1)
- Transmission Security §164.312(e)(1)
Follow Us!