The new HIPAA rules and what it means to service providers

Jan 2013

The new HIPAA rules and what it means to service providers

Posted by Pavan Vyas

 The department of Health and Human Services (HHS) has announced sweeping changes to the HIPAA and HITECH Act. The new rules strengthen the ability of the Office of Civil Rights to enforce HIPAA. Here are some of the main changes and how it affects backup service providers.

Business associates are now directly liable for compliance. Therefore, it is the service provider's responsibility to be in compliance with the requirements of the Privacy rule and to ensure that its activities are strictly in accordance with the tenets of the business associate agreement entered into with the healthcare organization (also known as the covered entity)

Service providers may be contacted by the HHS to disclose any protected health information (PHI) as required if asked for by the HHS or to ensure that they can provide a copy of the information to the patient or the covered entity when requested.

Further, service providers are now required to enforce the "minimum necessary rule" which mandates that service providers need to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.

Further, any data that is exposed is now considered a data breach. The onus is on the organization to prove that there is a low probability of the personal health information being compromised.

These are some of the major changes outlined in a comprehensive 563 page document released by the department of Health and Human Services.

All these changes make it all the more important for service providers to ensure that their backup solution keeps the data highly recoverable so that they can provide the copy of the data when requested. It is also critical that the backup solution encrypts the data in flight and at rest using a secure certified algorithm, protecting service providers from the threat of a data breach. Fortunately, with backup and recovery solutions like Asigra that provide recovery and restore assurance features and NIST FIPS 140-2 certified encryption algorithm, you are already on your way of being compliant with the new rules.

Backup service providers also need to ensure that they have the policies, procedures, and physical security measures in place to ensure that their data centers are secure and that only the absolute minimum number of employees required has access to the personal health information.

If you are a service provider that provides services to organizations in the healthcare space, you must read the new rules in greater detail and ensure that you are in compliance. Fortunately for you, our technology does a great deal to take you forward on this path.

Spice IT Email Post

For more information

Get insights about cloud backup and recovery direct to your inbox every month.
Subscribe to our Newsletter
Stay connected to the latest data protection insights – subscribe to our blog.
Subscribe to our blog
Got questions for one of our recovery specialists?
Need Answers to your Questions?
Print this page
Email this page