Whether you’re in the Healthcare industry or your business model lends to clients in the Healthcare industry, HIPAA is likely at the forefront of your thoughts. But what is it, and how does it affect your data specifically?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation establishing rules, regulations, and potential levies around treatment and use of Protected Health Information (PHI).
That’s a mouthful! Translated into lay-speak that sentence amounts to this:
“If you touch private medical data, it’s your job to ensure it is kept safe.”
Often there is a misconception about lines of responsibility which has caused several well-documented issues including tens of millions of dollars in fines and settlements.
Avoiding these fines and settlements is of paramount importance to the health of your business. The first step is learning your responsibilities. HIPAA Compliance is broken into four Rules which govern four major points of the compliance:
Each aspect requires its own processes and procedures to maintain that compliance.
The HIPAA Privacy rule notes several stipulations around who can access PHI, including the patient or the legal guardian of the patient, as well as detailing Health Care Providers’ steps to deny or allow access to that data. This rule also includes requirements for documentation around training staff on how to handle data and attestation of completion of that training.
Only the people who need to have access to private health care data should be granted access.
This includes health care service industry employees and hosting business employees. Anyone who may come in contact with PHI should be scrutinized for need and granted accesses appropriately. If a specific team or individual doesn’t need access to PHI, they should not have it.
The HIPAA Security rule lays out standards for how data should be handled to maintain its integrity. This includes how PHI is stored, how it’s accessed once stored, how it’s transmitted, and even how the devices are physically maintained and monitored while in a Data Center. Further, this rule notes requirements for logging of access and proper means of disposal of data if disposal is ever required.
No one outside controlled members of the organization should be able to see PHI.
While the data is at rest, it should be encrypted. Backups of the data should be encrypted, the means of access and transmission should be encrypted, and the physical security of your machines needs to be maintained and controlled at all times. Logs need to be diligently kept for every time PHI is accessed, changed, updated, or moved. Lastly, once you’re done with the data, be it account termination or a migration, any physical copies of the data (i.e., hard drives) need to be appropriately disposed of to ensure complete data integrity.
Breaches usually cause the most confusion.
The HIPAA Breach Notification rule sets standards for how PHI data breaches must be handled should the unthinkable happen. In general, a breach is defined as any uncontrolled access to unencrypted PHI. For example, if an encrypted transmission is intercepted, but it’s encrypted, and no one can actually see the specific data, this is not a breach. However, if a laptop with access to PHI is stolen and it is used to view that PHI, this is a breach and needs to be reported.
Breaches are further broken into two types, Minor breaches, which affect fewer than 500 individuals, and Meaningful breaches, which affect greater than 500 individuals.
Breaches do not necessarily equal violations. A violation is when a breach comes as a result of a poorly defined, partially implemented, loosely maintained, or generally incomplete compliance process; or as a result of direct violation of properly implemented processes and procedures.
Calling back to our laptop example:
If a laptop with access to PHI is stolen, it is a breach. This stolen laptop incident becomes a violation if the company didn’t have documented processes and procedures surrounding the use of that laptop OR if the owner of the computer was negligent with the device.
Not all breaches are violations, but all breaches need to be reported.
The HIPAA Omnibus rule is a catch-all rule that controls compliance as it extends to other parties. In today’s internet business, we all understand that it’s rarely feasible to handle all processes in house, including hosting. This rule allows firms to extend HIPAA compliance responsibilities to other parties so long as those other parties are also HIPAA compliant and the two companies enter into a Business Associate Agreement, a contract which draws outlines of responsibility for both parties as pertains to the handling of PHI.
It’s possible to maintain HIPAA compliance even when parts of your processes are outsourced to other companies. Just make sure the other company is also HIPAA compliant, and you have executed a BAA before allowing access to PHI.
How Does This All Apply to Databases?
Now that all of those points are lined out, how does this affect databases specifically? Databases are the most likely place where PHI will be stored.
Most modern applications and storage formats will be database driven and thereby rely on databases as their source. It’s essential to understand the structure of the app you’re using as you consider maintaining HIPAA compliance and database hosting.
There are two primary styles of database hosting, dedicated database hosting, and tandem database hosting.
Dedicated database hosting is the more complex and expensive of the two options. It requires a separate and segregated server that’s dedicated strictly to hosting your database service and nothing else. This server is usually connected to a private network and not open to the public internet. While accessing the data on this server, the application will often be configured to make an external connection to this database server, run its query, and return the response. That response is then processed however appropriate.
Tandem database hosting runs your database service on the same machine as other services and in conjunction with those services. This is often the approach many less resource intensive applications will take as its deployment is less expensive and less complicated. The database service is usually configured to accept only local connections and performs the same queries without having to send the request or response outside the server.
|Dedicated Database Hosting||1. Easily scalable
2.Designed to handle large databases
3. Hardware can be customized for databases
|1. More expenses
2. Requires more hardware
3. More difficult to administrate
|Tandem Database Hosting||1. Less complex
2. Deployed by default
3. No additional configuration
|1. Shared Resources
2. Could be affected by other services
3. Scaling requires taking resources from other services
Whether you use a dedicated database server or a database service running on a web server, if PHI will be stored there, the entire server is required to follow all compliance guidelines. These guidelines fall into four categories:
- Data handling
- Physical Safeguards
Data Handling refers to data that is ready to be accessed, data that is being accessed, and data that’s moving so it can be accessed once received. And these processes are governed by one concept: encryption.
According to the HIPAA Security rule, no one should simply be able to see PHI. That means data should be encrypted while at rest or in transit.
Encryption for databases exists at several levels and is available on all database platforms. There are means by which to encrypt entire database warehouses, whole databases, full tables, or even individual columns. It would be best to investigate your current application deployments and decide the way that best fits your needs for means of access to cause the least amount of interruption.
Data while in transit also requires encryption, even if it’s across a private network connection. Again, there are many ways to move and maintain the requirement for encryption. SSH, Rsync, FTPs, and sFTP, even dumping databases to a file and encrypting those files is acceptable. So long as you’re adhering to the Security rule’s requirement for encryption, you’re on the right track.
The last consideration is how the data is being accessed. Again, encryption is vital. SSH, Database Administration Tools, or the secured implementations of FTP work well.
Considerations for FTP
FTP and its encrypted implementations require moving data from the source to a destination. If someone is using FTP to pull data to their local machine then re-upload that data, it’s imperative that the destination machine follows all HIPAA compliance requirements no matter the type: laptop, tablet, workstation, what have you. If they are not following HIPAA requirements or requirements are not set up around this type of access, the organization is in violation and at risk of legal action.
Considerations for Database Administration Tools
There are many stand-alone and web-driven database administration tools, all with their own pros and cons. No matter the application, DBeaver, SQLite, MySQL Workbench, PHPMyAdmin, or SQL Server Management Studio; they all need to make fully encrypted connections and follow the same accessing standards: controlled, logged, encrypted. This means all web-driven application need an SSL at minimum.
Database backups are paramount to a company’s survival, and the governing bodies understand this, which is why HIPAA compliance has stipulations specifically for maintaining backups.
First: Backups are Required
A means by which to back up data and databases is not only encouraged, it’s required. Not having backups is a direct violation of HIPAA compliance.
Further, those backups must follow the encryption policies for data handling. They must be encrypted, accessed only via encrypted means, and maintain encryption in transit.
Backups Also Require Testing
What good are backups if they don’t work and how do we know they’re failing if we don’t test them? These are essential questions, and their answers are built into HIPAA compliance. All backups must be checked regularly, those backups need to be verified, and the testing and verification must be logged so they can be submitted to your HIPAA compliance officer at the time of an audit.
This is a point of much contention. In the hosting world, almost everyone pays to avoid needing physical access to a server. We rely on our hosts to handle that part and any access to the server, physical access included, requires the same scrutiny as other access.
According to the Security Rule, physical access must be controlled and logged. Luckily, as per the Omnibus rule, a third-party can handle almost any aspect of your compliance, so long as they’re HIPAA compliant and there’s a BAA executed. This includes physical access!
Liquid Web offers offer attestation via a BAA which covers their processes, documentation, and logged procedures surrounding physical access, its maintenance, and logging. That attestation can then be submitted to an auditor and serves as compliance when you need it.
Logging is another point that seems blurry to most clients and is absolutely crucial to maintaining HIPAA compliance. As part of the HIPAA compliance audit process, a compliance officer will require documentation showcasing all of the above points are followed. This means all access to your databases needs to be logged, and those logs need to be maintained.
You’ll have to provide logged details about each person who can access data the data, every time the data was accessed and by whom, the reason the data was accessed, and the outcome of accessing said data; you’ll need to maintain every time the physical hardware was accessed as well as by whom. You’ll also need to show logs of your backup periods, verification of employee training, all breach awareness testing, and any breaches. That’s a lot to log! But it’s crucial. Not keeping these logs leaves you in violation of HIPAA compliance regulations and susceptible to fines and actions.