Most of the HIPAA compliant requirements are on the shoulder of the hosting provider. Here, we list the best practices for the requirements.
. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
- Enable Data-At-Rest Encyrption
- Enable HTTPS transmit
- Enable Version-Control
- Backup your data storage and backup centrestack database
. Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Put CentreStack in DMZ, behind firewall
- Enable password policy
. Protect against reasonably anticipated, impermissible uses or disclosures
- Fully leverage the tenant scope, folder scope permission protection
- Disable external sharing or disable anonymous external sharing
. Ensure compliance by their workforce
- Create Dedicated CentreStack administrator
- Create Dedicated Tenant Administrator
- Training of staff of HIPAA related requirement and CentreStack related features
. Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Network diagram documentation and analysis
. Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
- Have someone specialized in security
. Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
- Tenant administrator - minimum access - only assign to those who need it.
- Folder permission - minimum necessary
- Centrestack administrator - minimum necessary
. Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI.17 A covered entity must train all workforce members regarding its security policies and procedures,18 and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
- Training in HIPAA related requirement and CentreStack related administration.
. Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule..
- Monthly or quarterly review process
. Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Hosting provider requirement
. Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
. Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Tenant administrator - assigned and minimum necessary
- Folder permission - assigned and minimum necessary
- Hosting provider system administrator - assigned and minimum
. Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Use SQL Standard or MySQL Community Edition to make sure Audit Trace and File Change Log history is deep enough
- Hosting provider has network access related audit
. Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Enable Version-Control
- Enable strong password
- Hosting provider has backup for data storage and audit network access
. Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
- Enable HTTPS