The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, and the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 both mandate that all covered entities and business associates fulfill certain requirements for data backup, data storage, and data recovery. These requirements are listed in the Security section of the Administrative Simplification Act and Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Planet Logic has developed a highly secure cloud hosting system that can help you fulfill the HIPAA and HITECH requirements for secure hosting, data storage, data recovery, and disaster recovery planning while realizing significant operational cost savings. Planet Logic’s full suite of services can help any size practice, hospital, or healthcare system comply with specific HIPAA and HITECH data security requirements starting with the first backup.

How Planet Logic facilitates HIPAA organizational compliance

Contingency Plan

164.308(a)(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

164.308(a)(7)(ii) Implementation specifications: (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

Planet Logic provides a secure and comprehensive solution for the backup, retention, and recovery of your protected health information data. With Complete Data Protection the entire system is backed up nightly, Complex Retention Policies, and Bare Metal restoration capabilities, Planet Logic’s cloud system can easily restore data from it’s backup archive in the event of a disaster.

Access Controls

164.312(a)(1)Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).

Planet Logic’s application, data access is controlled by centralized managed policies, only authorized individuals with decryption keys have access to encrypted data. All resources, both client side and web portal can only be accessed by an authorized user and password. The web portal and application are both protected by SSL during communication. 256 bit AES, TwoFish and Triple DES Data encryption including a Data Encryption key that is definable by your company’s backup administrator. SSL provides protection from the possibility of theft of credentials helping to provide a secure and accurate audit trail.

Audit Controls

164.312(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Planet Logic’s reporting capabilities give the end user an historical overview of their Backup Jobs. The reporting features include: Successful backups, Error reporting, Quota Reminders, Successful login attempts, Changed or Modified Backup sets, Job Summaries and Account Usage Reports. The User Audit Report is generated monthly and is part of our invoicing process. The report is attached to the monthly invoice so customers can accurately track usage.

Data Integrity

164.312(c)(2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Planet Logic has a robust security policy in place for authentication. Which is a Two Factor Authentication process. This security policy uses a unique ID which is tied to the customer ID. A complex password policy is used which requires certain characters to be used. The policy also has a built in expiration so the passwords are reset after 90 days. The first login layer authenticates the end user to the cloud. the second layer is the application layer in which a second authentication login. Once the user successfully logins in through the Two factor system. The authenticated user is then logged in, that user is then logged by the Audit system. Because of these policies the end user log ons are tracked and can be reported on if need be.

Data backups are first compressed in the cloud and then encrypted in 256 Bit AES. Data remains encrypted during transmission and while archived in the Cloud. Data is verified by the server application via data integrity checking before storing the backup data. The backup data is only unencrypted by the server application when the data is restored by the authenticated user with an encryption key, only then is the data decrypted safely and securely. 256 bit AES Data encryption and 256 bit SSL provide the encryption protection.

Authentication

164.312(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Planet Logic’s users are authenticated by a complex two factor authentication process with a username and password, only authorized individuals who have access have access to the data.
The Healthcare Cloud has a robust security policy in place for authentication. Which is a Two Factor Authentication process. This security policy uses a unique ID which is tied to the customer ID. A complex password policy is used which requires certain characters to be used. The policy also has a built in expiration so the passwords are reset after 90 days. The first login layer authenticates the end user to the cloud. the second layer is the application layer in which a second authentication login. Once the user successfully logins in through the Two factor system. The authenticated user is then logged in, that user is then logged by the Audit system. Because of these policies the end user log ons are tracked and can be reported on if need be.

HIPAA Compliant

The Healthcare Cloud is designed to meet or exceed the following Standards.

HIPAA Privacy Rule

  Safeguards:§164.530 (c)(1)
  Administrative §164.308
  Technical §164.312
  Physical §164.310
  Access to PHI §164.524
  Amendment to PHI §164.526
  Encryption of PHI §164.312

HIPAA Security Standards Matrix

  Assigned Security Officer §164.308(a)(2)
  Access Authorization §164.308(a)(4)
  Security Incident Reporting §164.308(a)(6)
  Contingency Plan: Data Back-up §164.308(a)(7)
  Contingency Plan: Disaster Recovery §164.308(a)(7)
  Business Associate Agreement §164.308(b)(1), 106.103
  Facility Access Controls §164.310(a)(1)
  Device & Media Controls §164.308(d)(1)
  Access Control §164.312(a)(1)
  Transmission Security §164.312(e)(1)