download datasheet up to 200GB FREE - get it now upgrade to unlimited - only $10/month

Is Symform HIPAA Compliant?

The Short Answer

Yes. Symform complies with the HIPAA Final Security Rule. The HIPAA Final Security Rule is divided into three broad categories of safeguards; administrative, physical, and technical. Symform maintains all of the appropriate technical security mechanisms to protect the data that is transmitted to and from Symform nodes

Symform encrypts all data using 256 AES (Advanced Encryption Standard). AES is the U.S. Federal standard for encryption as defined by the National Institute of Standards and Technology (NIST) and approved by the National Security Agency (NSA).

Symform encrypts all data at source then maintains the encryption in flight and at destination. Data may be encrypted in advance (by the client or MSP) prior to any processing by Symform, if that is preferred.

Symform's encryption is sufficient to help IT professionals comply with the Final Security Rule. Symform also complies with HIPAA Title 2 - Administrative Simplification - The Privacy and Security of Health Information., even though Symform customers are not "Covered Entities," as defined by the current rules, and, therefore, are not required to comply with it.

Symform routinely signs Business Associate agreements in order to meet the HIPAA requirements of its resellers and customers.

Today, there is no HIPAA "compliance certification" for backup applications, online storage, and disaster recovery services. Therefore, no software application or service is truly "HIPAA compliant," because there are no regulations that specifically govern this area of technology.

Contact us for more information.

The Long and Winding Road Answer

In 1996, a bill known as the Kennedy-Kassebaum Bill was passed by the U.S. Congress and signed into law by President Bill Clinton. The new law was known as the Health Insurance Portability and Accountability Act of 1996, or more commonly, HIPAA. It had started as a measure to ensure that workers could keep their health insurance when they changed jobs. By the time of its passage, it had become much more complex and far-ranging, affecting the vast majority of all health-care entities in the United States.

Due to the complexity of HIPAA, there has been and continues to be a great deal of confusion about how it applies to many areas, including backup and disaster recovery (BDR).

Who is Required to Comply?

Organizations who are required to comply with HIPAA fall into two categories. The first category consists of "Covered Entities." Covered Entities include all health plans, health care clearinghouses, or health care providers who transmit health information in electronic form.

The second category consists of the Business Associates who serve Covered Entities. A Business Associate is an organization or individual that provides certain services to a covered entity that involve the use or disclosure of individually identifiable health information. Business Associate functions or activities that are provided on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business Associate services to a Covered Entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

That said, persons or organizations are not considered Business Associates if their functions or services do not involve the use or disclosure of protected health information (PHI).

Are BDR Vendors Required to Comply?

BDR vendors are not Covered Entities. Since BDR does not involve the use or disclosure of PHI and any access to PHI by a BDR vendor would be incidental, BDR vendors are not typically categorized as Business Associates. Therefore, they are not governed by the HIPAA Privacy Rule. However, some Covered Entities may wish to have a Business Associate contract in place, in any case. This is normally a smart practice..

BDR services do clearly fall within the requirements of the HIPAA Security Rule. Covered Entities must be compliant with the Security Rule. Symform is compliant today.

HIPAA Overview

HIPAA consists of five titles:
  • Title 1 - Health Insurance Portability - helps workers maintain insurance coverage when they change jobs
  • Title 2 - Administrative Simplification - standardizes electronic health care-related transactions, and the privacy and security of health information
  • Title 3 - Medical Savings Accounts & Health Insurance Tax Deductions
  • Title 4 - Enforcement of Group Health Plan provisions
  • Title 5 - Revenue Offset Provisions
Four of the five titles of HIPAA have no bearing on BDR. The one title that does apply is Title 2 - Administrative Simplification.

Administrative Simplification

HIPAA Administrative Simplification consists of two areas. The first is commonly referred to as the Transactions and Code Sets Rule, although it also covers standardization of identifiers. This Rule requires standardization in all health-related electronic transactions, such as electronic transmission of insurance claims, verification of insurance, statements, explanations of benefits, remittance advice, etc.

Symform services are not categorized as a health-related transaction, and, therefore, are not covered under the Transactions and Code Sets Rule.

The second area of Administrative Simplification is made up of two rules: the Privacy Rule and the Security Rule. Since these two rules are where the most confusion arises, we will examine them in some detail.

Privacy and Security

Before the Privacy and Security Rules can be explained, we must understand what they are intended to protect. Both Rules are intended to safeguard any health-related information that can be traced to or used to identify an individual. Some examples of this type of information include name, address, Date of Birth, Social Security number, or any other identifier. This type of information is referred to as Protected Health Information, or PHI.

The Privacy Rule and Security Rules are intended to protect PHI in different ways. The Privacy Rule sets out limits on who can have access to PHI and for what purpose. The Security Rule regulates the Procedural, Physical, and Technical means that are used to protect PHI.

Privacy

The Privacy Rule places limits on the ways that PHI can be used and disclosed, and requires accounting of disclosures. It is important at this point to review how Symform works.

With Symform, all data are encrypted by the Symform software at source before being transmitted, using a key that is stored at Symform Cloud Control. Data may be encrypted (by the customer or MSP) prior to any processing by Symform, if desired. Symform would simply encrypt the encrypted files. Those encryption keys would be managed locally.

Symform then "shreds" the encrypted data at source. Then encryption is maintained "in flight" and at the destination. Symform does not involve the use or disclosure of PHI.

Since all data are stored in the cloud in an encrypted format and any access to PHI by an MSP would be incidental (if even possible), MSPs are not normally considered to be Business Associates and are not required to be compliant with the HIPAA Administrative Simplification Privacy Rule.

Security

The Final Security Rule is the one part of HIPAA that clearly applies to BDR services that Symform offers. The Final Security Rule governs the processes that should be used to protect PHI. It requires that Covered Entities have appropriate Administrative Procedures, Physical Safeguards, and Technical Safeguards to protect access to PHI.

Examples of appropriate safeguards include:

  • Establishment of clear access control policies, procedures, and technology to restrict who has authorized access to PHI.
  • Establishment of restricted and locked areas where PHI is stored.
  • Establishment of appropriate data backup, disaster recovery, and emergency operation planning.
  • Establishment of technical security mechanisms such as encryption to protect data that is transmitted via a network.

Symform cloud storage and online backup is compliant with the HIPAA Final Security Rule.

The Symform software contains all appropriate technical security mechanisms to protect the data that is transmitted to and from Symform nodes.

Other resources

HIPAA - U.S. Department of Health and Human Services Resources

Health Information Privacy Information

The HIPAA Final Privacy Rule

HIPAA - The Final Security Rule

Whitepaper: Achieving Regulatory Compliance
Praerit Garg, President & Co-founder, Symform