For healthcare providers, maintaining PHI (Protected Health Information) accuracy, privacy, and security is not only important to remain compliant with HIPAA regulations, but also vitally important to your consumers.
HIPAA identifies three areas that covered entities must address concerning the protection of this information. Safeguards for administrative, technical, and physical security are the basis for ensuring the proper handling, access, storage, and recovery of PHI. You owe it to your customers to choose a comprehensive Data Protection solution that not only protects you, but your customers as well. CRC Data Protection affords you the comfort that you are compliant, and most importantly, that your data is secure.
Concept |
Section(s) |
CRC Data Protection Solution |
Contingency Plan |
164.308(a)(7)(i)
Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
164.308(a)(7)(ii)
Implementation specifications: (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. |
CRC Data Protection software and services provide a complete, secure solution for the backup, retention, and recovery of data. With CDP (Continuous Data Protection), multi-tiered BLM (Backup Lifecycle Management), and bare metal restore capabilities, you are never more than a couple of clicks away from fully restoring your data from multiple RPOs (Recovery Point Objectives). |
Access Controls |
164.312(a)(1)
Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted
access rights as specified in Sec. 164.308(a)(4). |
With CRC Data Protection software, data access is controlled by centrally managed policies, so only authorized individuals have access to sensitive data. In addition, Data Protection online resources can only be accessed via a secure web portal by an authorized user name and password. 128 bit AES Data encryption (including user credentials) and 128 bit SSL provide protection from the possibility of theft of credentials helping to provide a secure and accurate audit trail. |
Audit Controls |
164.312(b)
Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. |
CRC Data Protection allows for logging of data backup, deletion, and recovery activities, which can be monitored for all home and ROBO locations through a centralized management tool. |
Data Integrity |
164.312(c)(1)
Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
164.312(c)(2)
Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic
mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. |
To ensure the highest level of data security, the small files and delta blocks of data are first compressed and then encrypted up to AES 256. Data remains encrypted in-flight and at-rest. The backup data is only unencrypted by the DS-Client at the site when it has retrieved the encrypted data. With CRC Data Protection’s BLM, digital certificates are created for data deleted from the database, allowing an audit trail for data manipulation. 128 bit AES Data encryption (including user credentials) and 128 bit SSL provide protection from the possibility of theft of credentials helping to provide a secure and accurate audit trail. |
Authentication |
164.312(d)
Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. |
With CRC Data Protection software, users are authenticated by a username and password, so only authorized individuals have access to sensitive data. 128 bit AES Data encryption (including user credentials) and 128 bit SSL provide protection from the possibility of theft of credentials helping to provide a secure and accurate audit trail. |
HIPAA Privacy Rule |
Safeguards:
§164.530 (c) (1) |
Compliance by CRC Data Protection or covered entity policies: |
|
Administrative
§164.308 |
|
|
Technical
§164.312 |
|
|
Physical
§164.310 |
|
|
Access to PHI
§164.524 |
|
|
Amendment to PHI
§164.526 |
|
|
Encryption of PHI
§164.312 |
|
HIPAA Security Standards Matrix |
Assigned Security Officer
§164.308(a)(2) |
|
|
Access Authorization
§164.308(a)(4) |
|
|
Security Incident Reporting
§164.308(a)(6) |
|
|
Contingency Plan: Data Back-up
§164.308(a)(7) |
|
|
Contingency Plan: Disaster Recovery
§164.308(a)(7) |
|
|
Business Associate Agreement
§164.308(b)(1), 106.103 |
|
|
Facility Access Controls
§164.310(a)(1) |
|
|
Device & Media Controls
§164.308(d)(1) |
|
|
Access Control
§164.312(a)(1) |
|
|
Transmission Security
§164.312(e)(1) |
|
