Most of the HIPAA compliant requirements are on the shoulder of the hosting provider. Here, we list the best practices for the requirements.
HIPAA Requirements:
General Rules:
. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
Centrestack
- Enable Data-At-Rest Encyrption
- Enable HTTPS transmit
- Enable Version-Control
Hosting Provider
- Backup your data storage and backup centrestack database
. Identify and protect against reasonably anticipated threats to the security or integrity of the information
Centrestack
- Put CentreStack in DMZ, behind firewall
- Enable password policy
. Protect against reasonably anticipated, impermissible uses or disclosures
Centrestack
- Fully leverage the tenant scope, folder scope permission protection
- Disable external sharing or disable anonymous external sharing
. Ensure compliance by their workforce
Centrestack
- Create Dedicated CentreStack administrator
- Create Dedicated Tenant Administrator
Hosting Provider
- Training of staff of HIPAA related requirement and CentreStack related features
Administrative Safeguards:
. Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Hosting Provider
- Network diagram documentation and analysis
. Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
Hosting Provider
- Have someone specialized in security
. Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
Centrestack
- Tenant administrator - minimum access - only assign to those who need it.
- Folder permission - minimum necessary
Hosting Provider
- Centrestack administrator - minimum necessary
. Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI.17 A covered entity must train all workforce members regarding its security policies and procedures,18 and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
Hosting Provider
- Training in HIPAA related requirement and CentreStack related administration.
. Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule..
Hosting Provider
- Monthly or quarterly review process
Physical Safeguards:
. Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
Hosting Provider
- Hosting provider requirement
. Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
Technical Safeguards:
. Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Centrestack
- Tenant administrator - assigned and minimum necessary
- Folder permission - assigned and minimum necessary
Hosting Provider
- Hosting provider system administrator - assigned and minimum
. Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Centrestack
- Use SQL Standard or MySQL Community Edition to make sure Audit Trace and File Change Log history is deep enough
Hosting Provider
- Hosting provider has network access related audit
. Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Centrestack
- Enable Version-Control
- Enable strong password
Hosting Provider
- Hosting provider has backup for data storage and audit network access
. Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Centrestack
- Enable HTTPS
. In latest Centrestack, we add Compliance Center, on cluster admin Dashboard.
Under Compliance Center, can check HIPAA settings too.
Comments
0 comments
Please sign in to leave a comment.