HIPAA

Healthcare is a highly regulated environment, and the nature of cloud computing infrastructure escalates concerns over privacy, security, access and compliance. U.S Congress recognized that advances in electronic technology could erode the privacy of health information. To protect such information, United States of America enacted the Health Insurance Portability Accountability Act of 1996 (HIPAA). It is the first comprehensive Federal protection for the privacy of personal health information.

 

 

How does it take form in Cloud Computing?

The HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) define crucial rules for individually identifiable health information. This information is called protected health information or PHI.

A covered entity is a health plan, a health care clearinghouse, or a health care who electronically transmit any health information. When this covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. The covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

Hosting an application in compliance with HIPAA-HITECH rules is a shared responsibility between the customer and TCL. A Business Associate Agreement (BAA), which clearly defines the respective responsibilities of TCL and the customer, must be signed.

 

What is HITECH?

Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the HIPAA rules in 2009. HIPAA and HITECH together establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the “Administrative Simplification” rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.

What are the HIPAA rules?

• The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.
• The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.
• The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

 

Is Tata Communications HIPAA compliant?

The scope of HIPAA compliance includes Managed Hosting Services offered by Tata Communications. Tata Communications’ Managed Hosting Service has been assessed to be compliant with the control requirements in alignment with the HIPAA Final Omnibus Rule pertaining to HIPAA Security Rule, HIPAA Privacy Rule and HIPAA Breach Notification Rule.

The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability.

Description	No. of Controls
Administrative Safeguards	24
Physical Safeguards	7
Technical Safeguards	8

 

HIPAA in-scope services:

Managed Hosting Services (MHS)

• Managed Server
• Managed Operating System
• Managed Storage
• Managed Switch
• Managed Firewall
• Managed Backup
• Managed Load Balancer
• Managed Database
• Managed Middleware
• Managed Virtualization
• Managed Disaster Recovery (DR)

 

Managed Hosting Services	In-Scope services
Operating System	Microsoft windows, RHEL, OEL, Solaris, IBM‐AIX, SUSE Linux, Debian Linux, Ubuntu Linux, Cent OS, Fedora
Network	VPN Gateway, Load balancer, switches, router
Storage/Backup	Shared and dedicated models, SAN, NAS and FC /iSCSI
Database	Oracle, MS-SQL, DB2 or MySQL database administration
Middleware	Middleware service is offered on applications including JBOSS; TOMCAT; Apache; WebLogic; WebSphere
Load Balancer	Static, Dynamic, Persistent: Radware, Citrix, SLB and GSLB, mSLB and mSLB with SSL off‐load
Security	SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth

 

Review all of our global compliance programs