HIPAA-Compliance

 

 

 

 

We have some great news for you on the compliance front!  Kinvey, the industry leading HIPAA Compliant Cloud, has successfully completed our latest independent third-party compliance assessment.  

NuHarbor Security conducted an Independent Security Controls Assessment of the Technical and Administrative controls included within the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Security Rule. The scope of this assessment included the entire Kinvey Backend as a Service platform, running on Google Cloud Platform, as well as all applicable processes and procedures. Kinvey conformed with every HIPAA citation that was applicable and in scope for the analysis.  

Achieving this is no small task.  Everyone on the Kinvey team has a role to play in ensuring HIPAA compliance.  Below is a high level checklist of what it takes to be HIPAA compliant.  As you will see, it’s quite involved and touches every aspect of our operation.  Congrats to the team!

HIPAA Compliant Checklist

Security and privacy are major concerns Healthcare organizations are under intense pressure from both the U.S. government and payers to reduce costs while improving patient outcomes.

Mobile healthcare (mHealth) is poised to make a huge positive impact with connected medical devices, wearable devices, patient adherence, clinical trials, and other B2C, B2B, and B2E apps to drive increased productivity, lower costs, and improve patient centric healthcare. But mobile apps pose new challenges for adhering to HIPAA and HITECH requirements for securing electronic Protected Health Information (e-PHI).

Healthcare organizations that fail to implement the necessary safeguards as required by these laws risk exposing sensitive PHI and may also incur the high costs of noncompliance.

The HIPAA Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Security Rule applies only to covered entities – health plans, healthcare clearinghouses, and certain healthcare providers. However, most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses.

The rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy and Security Rules.

Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its healthcare functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.

Under HIPAA, Kinvey is a Business Associate to a Covered Entity (our customer). As such, Kinvey will sign a Business Associate Agreement (BAA) with our customers to cover the Kinvey BaaS service and underlying infrastructure and Kinvey has a BAA with Google, our cloud infrastructure provider, to cover the cloud compute, storage, and network.

The HIPAA Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting e-PHI. Kinvey adheres to applicable aspects of the HIPAA Security Rules. This document outlines Kinvey’s approach to addressing the needs set forth in the e-PHI Security Rules.

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards
  • Organizational requirements
  • Policies and procedures
  • Documentation requirements
  • Breach notification requirements

In addition to this blog, please refer to the Kinvey Security Whitepaper for more information on our HIPAA Compliant Cloud.

REQUIRED OR ADDRESSABLE IMPLEMENTATION SPECIFICATIONS

If a HIPAA Compliant implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards.

In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative.

The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.

ADMINISTRATIVE SAFEGUARDS (164.308)

Administrative Safeguards for HIPAA Compliance require covered entities and Business Associates to implement policies and procedures to prevent, detect, contain, and correct security violations related to e-PHI. STANDARD 1: SECURITY MANAGEMENT PROCESS These include administrative policies to govern the workforce and ensure HIPAA compliance including identifying a privacy officer, risk assessment, employee training, policy review and contract management.

STANDARD 1: SECURITY MANAGEMENT PROCESS

HIPAA Compliant Security Management Process

STANDARD 2: ASSIGNED SECURITY RESPONSIBILITY

HIPAA Compliant Assigned Security Responsibility

STANDARD 3: WORKFORCE SECURITY

HIPAA Compliant Workforce Security

STANDARD 4: INFORMATION ACCESS MANAGEMENT

HIPAA Compliant Information Access Management STANDARD 5: SECURITY AWARENESS AND TRAINING

HIPAA Compliant Security Awareness Training

HIPAA Security Awareness and Training 2

 STANDARD 6: SECURITY INCIDENT PROCEDURES

HIPAA Compliant Security Incident Procedure

STANDARD 7: CONTINGENCY PLAN

HIPAA Compliant Contingency Plan

STANDARD 8: EVALUATION

HIPAA Compliant Periodic Evaluation

STANDARD 9: BUSINESS ASSOCIATE CONTRACTS AND OTHER AGREEMENTS

HIPAA Compliant Business Associate Contracts

 PHYSICAL SAFEGUARDS (164.310)

These safeguards are designed to protect e-PHI and their associated information systems from outside threats, environmental hazards, and unauthorized intrusion.

STANDARD 1: FACILITY ACCESS CONTROLS

Please also refer to Google’s Security Whitepaper for specific details on the underlying cloud infrastructure.

HIPAA Compliant Facility Access Controls

STANDARD 2: WORKSTATION USE

HIPAA Compliant Workstation Use

 

 STANDARD 3: WORKSTATION SECURITY

HIPAA Compliant Workstation Security

 STANDARD 4: DEVICE AND MEDIA CONTROLS

HIPAA Compliant Device Media Controls

TECHNICAL SAFEGUARDS (164.312)

The Technical Safeguards concern the technology that is used to protect the e-PHI and provide access to the data. Data at rest and in transit must be encrypted to NIST standards such that any breach of confidential patient data renders the data unreadable, undecipherable and unusable.

STANDARD 1: ACCESS CONTROL

HIPAA Compliant Access Control

STANDARD 2: AUDIT CONTROLS

HIPAA Compliant Audit Controls

 STANDARD 3: INTEGRITY

HIPAA Integrity

 

STANDARD 4: PERSON OR ENTITY AUTHENTICATION

HIPAA Compliant Person or Entity Authentication

 STANDARD 5: TRANSMISSION SECURITY

HIPAA Compliant Transmission Security

DOCUMENTATION SAFEGUARDS (164.316)

These requirements outline the requirements to document e-PHI related policies and procedures.

STANDARD 1: POLICIES AND PROCEDURES

HIPAA Compliant Policies and Procedures

BREACH NOTIFICATION RULE (164.400-414)

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Breach notices must be made without reasonable delay and in case later than 60 days following the discovery of the breach.

HIPAA Compliance Breach Notiifcation

 

Learn more about Kinvey’s HIPAA Compliant App Cloud and our Backend as a Service (BaaS).

Contact us to a speak to a Kinvey specialists