HIPAA compliant database, what is it exactly?

An HIPAA compliant database is a database that can securely store individually identifiable health information as per the standards outlined by the Federal Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules [PDF].

Any business can own an HIPAA compliant database

That’s right; your business could own an HIPAA compliant database today. But, what is better than an HIPAA compliant database? An HIPAA compliant cloud database, of course.

If you’re worried that an HIPAA compliant database is already a complicated affair, without having to add the “cloud” aspect of it – don’t!

Because, right now things are easier than you think – there are cloud database design solutions you can use to create your own online databases.

In fact, using a cloud database design tool to design your HIPAA compliant database is a smart move because it is:

  • Easy to use: any citizen developer can create databases which eliminates the need of a hi-tech team
  • Cost-effective: save time, energy, and money by using a low-code solution to design an efficient cloud database
  • Quickly deployable: databases can be created and deployed in a matter of minutes
  • No maintenance required: routine and critical database jobs like administration, patching, securing, and backing up are all handled by administrators and hosting professionals
  • Achieve standards and expectations: you meet all your design requirements – after all, you will be designing your own cloud database – from scratch, no less

Now, it is undeniable that complying with HIPAA database rules is a time consuming process. And although it might still take a bit longer than a standard account, achieving compliance is easy and cost effective with Kohezion.

Contact us to learn more.

What companies does HIPAA apply to?

The Act applies to any company that comes under the umbrella of:

  • Health plan providers
  • Clearing houses
  • Healthcare providers
  • Any organization that deals with PHI (Protected Health Information) data

It also applies to any business that works with another one that operates under HIPAA compliance or is required to do so. An example here would be sub-contractors who are required to handle the PHI data for larger organizations.

Therefore, according to the Act, your business should seek compliance if you store PHI. It is enforceable on your company if you operate on US shores or, if as an offshore company, you handle the PHI records of individuals located in the country.

Fact: PHI includes all individually identifiable health information of US and even non-US citizens.

What purpose does HIPAA serve?

When HIPAA was passed in 1996, it was created with the intention of:

  • Modernizing the flow of healthcare information and laying down the ground rules for PHI electronics data sharing
  • Laying out the security standards as to how personal data maintained by the health industry should be protected from fraud and theft
  • Addressing constraints in healthcare insurance coverage of workers and their families, even when the workers are between jobs or unemployed

One critical aspect of the HIPAA rules is the one that requires the secure storage of data – on databases that also comply with the rules.

What do the HIPAA rules say?

As a principle, a HIPAA compliant database should comply with the primary goals of the HIPAA Security Rule which states that it protects the data on it and that it “ensures the confidentiality, integrity, and availability of PHI that it creates, receives, maintains or transmits.”

This means it should have features or methods that guarantee:

  • Confidentiality: making sure only the people with proper authority can access the database
  • Integrity: making sure data is not altered – whether it is due to malicious intent or even sheer negligence
  • Availability: making sure the data is always readily available to authorized users

What are the HIPAA database requirements?

And so, in order to be considered to be an HIPAA compliant database, it must have all of the following features and capabilities:

  • End-to-end encryption of data in all its states – protection of data at all times; whether it is at rest, in motion, or while in use
  • Proper handling of encryption keys – protecting the codes that are used in securing the data
  • Protecting data from other sub-systems and dependent databases as well as the main database itself – data should only be made available to secure and authorized applications and subsystems that need to access it
  • Creation of unique user IDs – everyone that uses the database should have their own login and password
  • Proper user administration – authenticating the users and assigning them proper roles
  • Audit trails and logs – history of data and transactions properly maintained and kept for 6 years, at least
  • Database backups – also encrypted, tested, and itself securely stored
  • Hosting compliancy – the database should be hosted with a HIPAA compliant hosting company
  • Proper training of administrators – only staff that have the required HIPAA compliance training should be allowed to handle technical support
  • Ensuring currency and security – ensuring that updates are done automatically and scheduled regularly
  • Proper discarding of unrequired data – destruction of data should be done in a way that meet NIST standards of sanitizing data so it can’t be deciphered at a later date
  • Compliance of contractors, subcontractors, etc. – Business Associate Agreements (BAA) contracts should be put in place before PHI data can be shared between two or more parties

Get your HIPAA compliant database today!

If your business deals with PHI data, it means all your databases need to be HIPAA compliant databases – right now.

This is such a serious offence that violators could be fined up to a minimum fine of $50,000 per violation.

And so, if you haven’t already done so, now is the time to start creating your HIPAA compliant database.

Contact us to find out how.