HIPAA colocation is colocation that meets the specifications of the Health Insurance Portability and Accountability Act (HIPAA). This has 19 key requirements to protect medical records both on paper and in digital format. Here is a quick guide to what you need to know about HIPAA colocation.
Before you can fully understand even the basics of HIPAA colocation, you need to understand the basics of HIPAA itself. HIPAA actually serves multiple purposes. From an IT perspective, however, two stand out. The first is the prevention of fraud. The second is to guarantee the security and privacy of health information.
These two goals are closely linked. Essentially, healthcare-related fraud is fraud based on false information. This includes the misuse of legitimate information. It, therefore, follows that guaranteeing the security and privacy of healthcare information will help to reduce fraud. It also serves other purposes such as promoting confidence in healthcare.
The HIPAA omnibus rule essentially says that everyone involved in processing or storing healthcare data is responsible for their own compliance with HIPAA. If they are negligent, they can be directly sanctioned by the Department of Health and Human Services (DHHS).
This rule does not, however, mean that the DHHS takes over full responsibility for overseeing HIPAA compliance at all levels. The onus is still very much on businesses to set up robust and enforceable contracts with any service providers they use.
Businesses must also have written policies and procedures on how to manage their service providers. In particular, they must have protocols in place to deal with data breaches. These must include a breach-notification process.
Any business that fails to meet these requirements can expect to be sanctioned by the DHHS even if the fault for any breach does not lie directly with them. The DHHS may also choose to sanction the service provider, even though the service provider does not directly manage the data.
HIPAA colocation is colocation that is conducted in a way that is compliant with HIPAA. Colocation is the strategy of a business placing its own IT equipment in a data center that is owned and run by a third party.
In a HIPAA colocation scenario, the colocation vendor would need to be HIPAA compliant. This is because the security of a data center is fundamental to the security of the data stored in it.
Some businesses may see HIPAA colocation as a direct alternative to using a HIPAA-compliant public cloud. Others may plan to use them together but for separate purposes. In either case, here is a quick guide to the key differences between HIPAA colocation and a HIPAA-compliant public cloud.
With both colocation and the cloud, security is a shared responsibility. But with HIPAA colocation, the client’s direct responsibility extends further than it does in the cloud.
With colocation, the client is directly responsible for ensuring the security of their own hardware in their own area of the data center. They are also responsible for everything to do with software and user access. In the cloud, the client is only responsible for securing software and user accesses.
On a like-for-like basis, HIPAA colocation and the cloud have comparable reliability. Both colocation vendors and cloud vendors should be willing (and able) to guarantee close to 100% uptime. The key difference is that a HIPAA colocation vendor’s area of responsibility is noticeably lower than a HIPAA cloud vendor’s area of responsibility.
A HIPAA colocation vendor only needs to ensure that their data center infrastructure is kept available. The responsibility for ensuring the availability of a client’s hardware lies with the client (or their managed service provider). A HIPAA cloud vendor is responsible for ensuring that a client’s choice of hardware configuration is always available.
A colocation vendor should be able to offer 24x7x365 on-site access. There will, however, need to be security protocols in place to ensure that access is granted safely. These may slow down a client’s access to their own equipment, particularly if the client needs access at short notice.
With a HIPAA cloud, getting access is literally just a matter of going online and entering user credentials. It’s advisable to have a backup internet connection but most businesses are likely to have that in any case.
If you are planning to run your equipment yourself, then HIPAA colocation will require a higher level of management input than a HIPAA cloud. If, however, you plan to use a managed service provider, then the need for active management will be significantly lowered.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.