PDF《HIPAA/HITECH Compliance》

HIPAA/HITECH Compliance Using VMware vCloud Air Last Updated: September 23,

2014 W h i t e p a p e r w h i t e p a p e r /

2 HIPAA/HITECH Compliance Using VMware vCloud Air Introduction This paper is intended for security, privacy, and compliance officers whose organizations must comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of

1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, and others responsible for maintaining compliance with those Acts.

HIPAA and HITECH establish rules covering healthcare organizations and their business associates to assure the privacy and security of Protected Health Information (PHI), including PHI contained in Electronic Medical Records (EMR). When such an organization entrusts PHI to a business associate for processing or storage, for example in a Cloud Service, responsibility for compliance with HIPAA and HITECH rules may fall to the organization or its associate, or it may become a joint responsibility of the organization and its associate. The paper: ? Outlines individual and joint responsibilities of VMware clients who must comply with HIPAA and HITECH rules, and VMware as their business associate, when PHI is transmitted to, stored in, processed by, and retrieved from VMware vCloud? Air?. ? Introduces the VMware Business Associate Agreement documenting VMware's commitment to use appropriate privacy and security safeguards against unauthorized use or disclosure of PHI, and to respond appropriately to data breaches. Responsibilities for Protected Health Information in the Cloud Healthcare providers, insurers, and other organizations comply with HIPAA and HITECH rules by instituting, documenting, and auditing processes to assure the privacy and security of patients' Protected Health Information. Technologies like Cloud computing can't themselves be HIPAA-compliant or noncompliant, but technology providers' practices become part of the compliance discussion when they affect PHI privacy and security. VMware has developed an information security management program for its vCloud Air, incorporating essential elements of HIPAA and HITECH. But healthcare and insurance clients must understand the limits of VMware's―or any Cloud Service Provider's―control over the components and processes of cloud computing. Understanding these limits will help VMware and its clients define their roles and responsibilities logically, so that they can meet their individual and joint privacy and security obligations without duplication or gaps. Individual Responsibilities and Limits to Control Organizations are responsible only for processes they control. For instance, VMware maintains the infrastructure that stores information sent or created by vCloud Air tenants as "virtual machines", "virtual disks", etc., on vCloud infrastructure. VMware maintains and controls the data centers, physical infrastructure, and management systems that make up this infrastructure, and is therefore responsible for elements associated with the infrastructure, including for example: ? Administrative safeguards C policies and procedures governing access controls, incident response, backup and recovery, etc. ? Physical safeguards C infrastructure, policies, logs, records, and procedures to control physical access to PHI and guide its secure disposal. ? Technical safeguards C access controls for electronic communications containing PHI, including encryption and network security associated with the infrastructure, but not tenant systems or data. VMware also controls, and is responsible for, the processes by which it notifies Service tenants following discovery of a breach of unsecured PHI. w h i t e p a p e r /