Achieving a HIPAA-compliant status for your cloud environment is a much easier process when signing up with Atlantic.Net’s HIPAA-compliant hosting services. With this service, the majority of the cloud hosting responsibilities are picked up by the teams at Atlantic.Net; however, due to the nature of HIPAA compliance certification, there are a few parts of HIPAA that each of our customers must either be fully or partially responsible for.

HIPAA compliance is achieved when all of the mandated physical, technical, and administrative safeguards are met. This includes the Privacy and Security rule amendments of 2003 and the Final Omnibus Rule of 2013. We will go into detail about what all that means to you, the customer.

Although some of the following may seem like a daunting task, you can rest easy, because Atlantic.Net can handle 90% of the requirements with managed services. In reality, our HIPAA compliant customers only need to worry about a small fraction of the overall process.

As always, if ever you need to contact our teams to discuss your requirements, you are welcome to get in touch today.

Customer Responsibilities

Inevitably with HIPAA Compliance, some elements need to be completed by the client. These parts are focused on customer data and patient data and relate to information systems directly handled by the client.

Database Management – Atlantic.Net hosting solutions will stand up a database instance for you on our cloud platform; however, the day-to-day administration is the responsibility of the customer. Atlantic.Net engineers do not have any user access to your system, making managing the DB an impossible task for our engineers.

The customer is responsible for the structure of the data, how the tables are defined, and so forth, and they are also responsible for user administration and security. The instance Atlantic.Net provides is hardened to industry best practices; however, each client will need to force adequate system controls to protect unauthorized access to data.

Clients are responsible for the day-to-day maintenance of any database applications hosted on the platform, including database security, user credentials, and privileges. This also includes the data contained within the database. If the customer requires the database to be additionally encrypted, this must be managed by the customer; this is highly recommended according to industry best practices.

Customer Data – Each client is responsible for their customer data. This includes importing, managing, and updating all data. The customer is required by HIPAA legislation to have accurate data held on each patient and to respond promptly to information requests from the patient.

Atlantic.Net has no access to customer data, and as a result, this must be managed in-house by the customer.

Applications – As a client of Atlantic.Net, you are responsible for the maintenance of your applications. This includes the installation, configuration, and upkeep, such as security patching, unless you opt for our Server Management which can cover these requirements depending on the applications.

Every healthcare organization uses different HIPAA compliant applications, and many also use their own proprietary applications. As a result, supporting applications is very difficult for a managed service provider. You will receive a similar response at most MSPs; alternatively, the price will be reflective of the custom one-off work that is required to properly maintain these types of applications.

It is the customer’s responsibility to manage and maintain any additional software licensing used in day-to-day operations, including off-the-shelf applications or in-house custom software.

Please note that we do offer Managed Service options that offer support up to and including the operating system.

Identity & Access Management – Each customer is responsible for managing their directory services, such as Active Directory or any other LDAP solution. This includes permission-based access and access to the Atlantic.Net control panel.

The client owns the entire user lifecycle process. This includes adding, modifying, and deleting users and handling all-access queries about permissions.

Atlantic.Net will provide the tools to complete the job.

Client-Side Data Encryption and Data Integrity Authentication – any protected health information stored locally on client internal IT Systems is the responsibility of the client. What this means is that employees must ensure that files are encrypted locally and that correct protocol is followed when transmitting PHI locally.

This is typically any frontend client-side encryption technology, such as PGP, BitLocker, and any application-specific encryption.

Once the data is in the Atlantic.Net cloud, our systems will ensure protective measures are followed; however, to be HIPAA compliant, patient data must be protected before sending to the cloud platform.

Service-Side Encryption (File and Data) – Once the data is stored inside the Atlantic.Net cloud, the customer must ensure that files remain encrypted and that the data remains valid. Any backend service-side encryption technology, which is typically database and application-specific encryption, is the responsibility of the customer outside of the physical disks since they are encrypted at rest by default by Atlantic.Net.

Employees shouldn’t decrypt files server-side or copy them to their devices. The entire process must be audited from end to end.

If you have any queries about these customer requirements, then please talk to the team. We are more than happy to explain the exact requirements to you. HIPAA compliance is hard to achieve, and unfortunately, there are some elements that Atlantic.Net are unable to control until ingested into our systems.

The Atlantic.Net Difference

Atlantic.Net will do as much as possible to help our healthcare clients. We are always available for help and assistance, so do not hesitate to get in touch. Unfortunately, due to the complexity of HIPAA Compliance, there are just some tasks that Atlantic.Net is unable to do for our clients. If there is ever a time that your request is outside our scope of support, we can offer a one-time fee for a professional service agreement if our team is able to handle the request. These are hourly-based support requests for those times when you need a specialized helping hand that Atlantic.Net normally doesn’t provide.

The good news is that we handle just about everything else, including managing the Cloud Servers, storage, networking, encryption-at-rest, physical security, and the day-to-day management of the Cloud Platform.

Elsewhere several elements come with shared responsibility: auto-patching, log inspection, VPN management, DNS, and integrity monitoring. Please check this article if you want to learn more about the Atlantic.Net shared responsibility model.

Atlantic.Net has over 30 years of experience providing customer-oriented IT Solutions. We are renowned for our HIPAA-compliant cloud services, supported by a security-defined platform architected to the highest standards. Our HIPAA-compliant cloud is available as a managed service or via a self-service offering – the perfect choice for your next healthcare project.

Get Help with HIPAA Compliance

Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, call 888-618-DATA (3282), or visit www.atlantic.net.