With the surge in organizations embracing cloud computing solutions, demand on data centers has never been greater. Many of the organizations now migrating to online platforms are operating in the healthcare sector, which means that the need to ensure that HIPAA compliance is upheld should not be overlooked. Ensuring compliance is a crucial element in successful data center management, and, indeed, failure to meet the requirements can prove disastrous.

HIPAA Compliance For Data Centers

Short for Health Insurance Portability and Accountability Act (which was brought into law in the US in 1966), HIPAA regulations are designed to limit the usage of protected health information (also known as PHI) by a variety of parties, including doctors and other healthcare professionals, and medical insurance providers. This means that any data which could potentially identify an individual, such as medical conditions or history, financial details such as billing information, and any medical test results, must be held and managed in a way that ensures privacy, and security, and upholds the HIPAA breach notification rule.

The HIPAA compliance rules are intended to protect individuals, and in many ways, this compliance law is similar to the European GDPR. GDPR is perhaps more stringent in its requirements, as it requires explicit permissions for sharing personal data even for the purposes of patient care (which is not a requirement of HIPAA), while HIPAA does not afford patients the “right to be forgotten” as seen under GDPR. Furthermore, in the event of a GDPR data breach, there is no lower threshold for reporting under the regulations, whereas HIPAA requires only that breaches that affect more than 500 people should trigger mandatory notifications.

Why It Matters

Failing to meet the compliance regulations can result in severe fines, or even legal repercussions, as enforced by the federal government. This is in addition to any potential reputational damage for any data center seen to have facilitated a data breach. If a data center is classed as a business associate of any organization bound by HIPAA regulations, it is also required to meet compliance.

Growth industries such as telehealth mean that data centers must be aware of the HIPAA compliance requirements if they are to avoid the risk of fines or other action. And those data centers that can demonstrate a commitment to upholding HIPAA compliance will also benefit, as this is a clear advantage for healthcare firms looking to move into off-premises storage and processing.

The best indicator of HIPAA compliance for data centers is HROC (HIPAA Report On Compliance) documentation, but as a minimum, achieving HIPAA compliance will include having a documented disaster recovery plan, protection for all hardware and network assets (such as RFI and surveillance technologies), and IP separation for healthcare organizations. This is in addition to standard compliance steps, such as commitment to ongoing staff training and regular security audits and risk assessments.