XMission is HIPAA compliant.
XMission performs a HIPAA (Health Insurance Portability and Accountability Act) audit with a scope that currently includes our data center and colocation product. The audit is conducted by CPA firm A-lign, who specializes in these audits for IT firms.
What is HIPAA and ePHI/PHI?
The Health Insurance Portability and Accountability Act (HIPAA) and subsequent Health Information Technology for Economic and Clinical Health (HITECH) Act define policies, procedures and processes that are required for organizations that store, process or handle electronic protected health information (ePHI).
ePHI (electronic Personal Health Information) refers to private health info that health care professionals create, store, and sometimes share with each other. HIPAA requires strict policies and procedures to protect this data and keep it private.
What does this mean for XMission customers?
HIPAA compliance assures potential and existing customers that XMission's policies and procedures are sound according to HIPAA guidelines. Customers can request a copy of our assessment report, which could make it easier for them to pass their own HIPAA audit. If anything is missing which could help them with their own audit, or better set them at ease regarding the products they purchase from XMission, we gladly welcome such requests. We have already started to evaluate how we will expand the scope in next year's audit.
Why is this important for data centers?
Protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) is the essence of the HIPAA Security Rule. A HIPAA compliant facility helps ensure your own compliance with these requirements, especially with 2013 Omnibus ruling.
What is the Omnibus Ruling?
The Omnibus ruling expanded HIPAA requirements which directly apply to data centers because it modifies the HIPAA Privacy, Security, and Enforcement regulations in the following ways:
- Makes business associates and subcontractors of business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rule requirements
- Requires modifications to a covered entity’s Notice of Privacy Practices
- Adopts the additional HITECH Act enhancements to the Enforcement Rule, particularly regarding privacy breaches and penalties
In other words, colocating in a HIPAA compliant data center can help you even if you're only a business associate or subcontractor.