About HIPAA Security Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus rules were created to protect the privacy and security of certain health information.
- The HIPAA Privacy Rule protects the privacy of individually identifiable health information.
- The HIPAA Security Rule sets national standards for the security of electronic protected health information (EPHI).
The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded the responsibilities and liabilities of business associates under the HIPAA Privacy and Security Rules.
Who Must Comply with HIPAA?
Healthcare providers, health plans, healthcare clearinghouses, Medicare prescription drug card sponsors and other healthcare service providers who generate, use, transmit and store electronic patient records must comply with HIPAA standards.
These “covered entities” face financial, legal and reputational repercussions if their patient’s sensitive information is stolen, misused, or unavailable. Preventing an unauthorized breach of protected health information (PHI) is a core goal of every covered entity in the healthcare industry.
Any business partner, vendor and service provider that handles PHI on behalf of a covered entity must also comply with HIPAA guidelines.
DriveSavers — Compliant with HIPAA Security Standards
WiRED Security, an independent third-party, performed facility reviews, documentation reviews and interviewed key personnel at DriveSavers to measure our data recovery process controls. WiRED Security is certified to conduct IT Audits and Information Security Vulnerability and Penetration Testing.
In addition to their own auditing process, WiRED Security relied upon SOC 2 Type II audits and control testing performed by two independent parties in 2016 to validate the effectiveness of DriveSavers technical security controls.
The SOC 2 Type II audit is a widely recognized as the standard developed by the American Institute of Certified Public Accounts (AICPA) for the assessment of service organizations. Professionals who have experience in accounting, auditing and information security perform the audit.
The SOC 2 Type II audit is an intensive process, requiring months of preparation. DriveSavers undergoes the Type II SOC 2 audit on an annual basis. DriveSavers pursued the SOC 2 Type II audit voluntarily to verify the following for our customers:
- The integrity of our data recovery facilities and data hosting solutions
- The security of our IT assets
- Our compliance with the Sarbanes-Oxley (SOX) Act of 2002 and other data privacy and data security compliance regulations
- Our overall IT compliance.
Certified Secure Recovery of Electronic PHI
Annual SOC 2 Type II audits are the most stringent form of professional examination. The security control objectives established for our audits are designed to satisfy the stringent security requirements mandated by the corporate clients, healthcare service providers and government agencies we serve.
The following areas were examined, tested and certified:
- Control environment
- Computer and network operations
- Data communications
- Network security
- Physical security
- Business-environment security
- Logical security
- Business continuity and disaster-recovery planning
- Change management for applications and solutions
- Executive and senior management
- Decision-making processes
- Human resources