We have some great news for you on the compliance front! Kinvey, the industry leading HIPAA Compliant Cloud, has successfully completed our latest independent third-party compliance assessment.
NuHarbor Security conducted an Independent Security Controls Assessment of the Technical and Administrative controls included within the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Security Rule. The scope of this assessment included the entire Kinvey Backend as a Service platform, running on Google Cloud Platform, as well as all applicable processes and procedures. Kinvey conformed with every HIPAA citation that was applicable and in scope for the analysis.
Achieving this is no small task. Everyone on the Kinvey team has a role to play in ensuring HIPAA compliance. Below is a high level checklist of what it takes to be HIPAA compliant. As you will see, it’s quite involved and touches every aspect of our operation. Congrats to the team!
HIPAA Compliant Checklist
Security and privacy are major concerns Healthcare organizations are under intense pressure from both the U.S. government and payers to reduce costs while improving patient outcomes.
Mobile healthcare (mHealth) is poised to make a huge positive impact with connected medical devices, wearable devices, patient adherence, clinical trials, and other B2C, B2B, and B2E apps to drive increased productivity, lower costs, and improve patient centric healthcare. But mobile apps pose new challenges for adhering to HIPAA and HITECH requirements for securing electronic Protected Health Information (e-PHI).
Healthcare organizations that fail to implement the necessary safeguards as required by these laws risk exposing sensitive PHI and may also incur the high costs of noncompliance.
The HIPAA Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Security Rule applies only to covered entities – health plans, healthcare clearinghouses, and certain healthcare providers. However, most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses.
The rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy and Security Rules.
Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its healthcare functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
Under HIPAA, Kinvey is a Business Associate to a Covered Entity (our customer). As such, Kinvey will sign a Business Associate Agreement (BAA) with our customers to cover the Kinvey BaaS service and underlying infrastructure and Kinvey has a BAA with Google, our cloud infrastructure provider, to cover the cloud compute, storage, and network.
The HIPAA Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting e-PHI. Kinvey adheres to applicable aspects of the HIPAA Security Rules. This document outlines Kinvey’s approach to addressing the needs set forth in the e-PHI Security Rules.
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Organizational requirements
- Policies and procedures
- Documentation requirements
- Breach notification requirements
In addition to this blog, please refer to the Kinvey Security Whitepaper for more information on our HIPAA Compliant Cloud.
REQUIRED OR ADDRESSABLE IMPLEMENTATION SPECIFICATIONS
If a HIPAA Compliant implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards.
In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative.
The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.
ADMINISTRATIVE SAFEGUARDS (164.308)
Administrative Safeguards for HIPAA Compliance require covered entities and Business Associates to implement policies and procedures to prevent, detect, contain, and correct security violations related to e-PHI. STANDARD 1: SECURITY MANAGEMENT PROCESS These include administrative policies to govern the workforce and ensure HIPAA compliance including identifying a privacy officer, risk assessment, employee training, policy review and contract management.
STANDARD 1: SECURITY MANAGEMENT PROCESS
STANDARD 2: ASSIGNED SECURITY RESPONSIBILITY
STANDARD 3: WORKFORCE SECURITY
STANDARD 4: INFORMATION ACCESS MANAGEMENT
STANDARD 5: SECURITY AWARENESS AND TRAINING
STANDARD 6: SECURITY INCIDENT PROCEDURES
STANDARD 7: CONTINGENCY PLAN
STANDARD 8: EVALUATION
STANDARD 9: BUSINESS ASSOCIATE CONTRACTS AND OTHER AGREEMENTS
PHYSICAL SAFEGUARDS (164.310)
These safeguards are designed to protect e-PHI and their associated information systems from outside threats, environmental hazards, and unauthorized intrusion.
STANDARD 1: FACILITY ACCESS CONTROLS
Please also refer to Google’s Security Whitepaper for specific details on the underlying cloud infrastructure.
STANDARD 2: WORKSTATION USE
STANDARD 3: WORKSTATION SECURITY
STANDARD 4: DEVICE AND MEDIA CONTROLS
TECHNICAL SAFEGUARDS (164.312)
The Technical Safeguards concern the technology that is used to protect the e-PHI and provide access to the data. Data at rest and in transit must be encrypted to NIST standards such that any breach of confidential patient data renders the data unreadable, undecipherable and unusable.
STANDARD 1: ACCESS CONTROL
STANDARD 2: AUDIT CONTROLS
STANDARD 3: INTEGRITY
STANDARD 4: PERSON OR ENTITY AUTHENTICATION
STANDARD 5: TRANSMISSION SECURITY
DOCUMENTATION SAFEGUARDS (164.316)
These requirements outline the requirements to document e-PHI related policies and procedures.
STANDARD 1: POLICIES AND PROCEDURES
BREACH NOTIFICATION RULE (164.400-414)
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Breach notices must be made without reasonable delay and in case later than 60 days following the discovery of the breach.