The Health Insurance Portability and Accountability Act (HIPAA) was created to:
- Modernize the flow of healthcare information
- Stipulate how Personally Identifiable Information (PII) maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft
- Address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
The HIPAA Security Rule
After the passing of HIPPA in 1996, more and more healthcare information has been shared and stored electronically. This prompted legislatures to create a rule dedicated to the safeguarding of electronic health information, hence the Security Rule. Since the Rule was implemented in 2004, there have been several updates, most notably the HITECH act in 2009 and the Omnibus rule in 2013.
The Security Rule is a set of regulations intended to protect the security of electronic protected health information (ePHI) and to maintain the confidentiality, integrity, and availability of ePHI. This is achieved by implementing proper administrative, physical, and technical safeguards. It contains three types of required standards of implementation: Administrative, Physical, and Technical.
Technical standards are the policies and procedures that determine how technology protects ePHI as well as control access to that data. This can often be the most challenging regulation to understand and implement and is a focal point of the DuploCloud platform:
- Access Control: Policies and procedures that allow only authorized individuals to access ePHI.
- Audit Control: Procedures implemented through hardware or software that record and monitor access to systems that contain ePHI.
- Integrity Controls: Procedures to maintain that ePHI is not altered, destroyed, or tampered with.
- Transmission Security: Security measures that protect against unauthorized access to ePHI that is being transmitted over an electronic network.
HIPAA Certification Overview
Below is a short list of the minimum requirements that would make your software HIPAA compliant:
- HIPAA Rules: Comply with all aspects of the rules that make up HIPAA; the Privacy Rule, Security Rule, HITECH and the Omnibus Rule.
- Security Safeguards: The administrative, physical and technical safeguards laid out in the Security Rule should be followed.
- Transport Encryption: Any ePHI must be encrypted before it is shared or disclosed.
- Backup: All ePHI should be backed up in case there is a need to recover or restore the information.
- Authorization: ePHI should be restricted so that it is only accessible to authorized personnel.
- Storage Encryption: In addition to how it is shared, ePHI should also be stored in an encrypted manner.
- Integrity: ePHI should not be available to unauthorized changes or improper destruction.
- Disposal: Once the ePHI is not needed anymore, it should be safely and permanently destroyed.
DuploCloud and HIPAA Certification
With DuploCloud, control implementation is auto generated and seamlessly integrates into DevOps workflows from the start. Other security products provide controls after resources are provisioned, limiting coverage to only 30% of the required security controls set. DuploCloud is the only automation platform spanning both provisioning and security that ensures adherence to 90% of the required security controls set.
Built for Compliance
DuploCloud was built for out-of-the-box HIPAA compliance. Start with a compliance gap assessment.
HIPAA and HITRUST controls are implemented and remediated by orchestrating native AWS, Azure, or GCP cloud services, open source tools and 3rd party software, improving your security posture.
We’ll give you sample auditor and customer ready InfoSec and Infrastructure Security documentation that you can tailor your policies and procedures.
Audit Ready Reporting
Save hundreds of hours with built-in proof of security controls, operational reports, and screen shots.