The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that dictates US standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
The Aptible Security & Compliance Dashboard provides a HIPAA readiness score based on controls required for meeting the minimum standards of the regulation, labelled HIPAA Required as well as addressable controls that are not required to meet the specifications of the regulation but are recommended as a good security practice, labelled HIPAA Addressable.
HIPAA prescribes certain implementation specifications as “required”, which means the control in question has to be implemented in order to meet the requirements of the regulation. An example of such a specification is 164.308(a)(7)(ii)(A), requiring implemented procedures to create and maintain retrievable exact copies of ePHI. This specification is met with Aptible’s automated daily backup creation and retention policy.
The HIPAA Required score gives you a binary indicator of whether or not you’re meeting the required specifications under the regulation. By default, all resources hosted on a Dedicated Stack meet the required specifications of HIPAA, so if you plan on processing ePHI, it’s a good idea to host your containers on a Dedicated Stack from day 1.
The concept of "addressable implementation specifications" was developed by the HHS to provide covered entities and business associates additional flexibility with respect to compliance with HIPAA. In meeting standards that contain addressable implementation specifications, a covered entity or business associate will do one of the following for each addressable specification:
- Implement the addressable implementation specifications;
- Implement one or more alternative security measures to accomplish the same purpose;
- Not implement either an addressable implementation specification or an alternative.
The HIPAA Addressable score tells you what percentage of infrastructure controls have been implemented successfully in order to meet relevant addressable specifications as per HIPAA guidelines.
Updated about 1 year ago