What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act of 1996) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyber attacks and ransomware attacks on health insurers and providers.
What is HIPAA compliance?
HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and HIPAA Omnibus Rule
HIPAA compliance is a constant process, which covers many different activities and measures like policies, procedures, technical controls and awareness raising programs. These must be implemented beside the products used.
NOTE! This article does not aim to give you legal advice and does not cover Customer’s obligations which are not related to Acronis products. This article intends to help you adjust the internal processes and use of Acronis products in a HIPAA-compliant way. Acronis Customers are solely responsible for evaluating and fulfilling their own legal and compliance obligations under HIPAA, as well as for using Acronis products and services in an appropriate manner under the HIPAA requirements.
Who is affected by HIPAA? Acronis' role
There are 3 groups of stakeholders:
- Covered Entity (a health care organization)
- A Business Associate (person or organization which provides a service to covered entities and may have access to patients' personal information);
- Optional: a Subcontractor (person or organization that use the PHI of Business Associate to carry out additional work for the Business Associate or Covered Entity).
Acronis may be either a business associate or a subcontractor.
Is Acronis HIPAA-certified?
There is no official, legally recognized HIPAA compliance certification process or accreditation. However, Acronis follows HIPAA compliance requirements in their applicable part.
Which Acronis products are HIPAA compliant?
Acronis has made an internal readiness assessment and estimated that the following products could be used in a HIPAA-compliant way:
- Acronis Cyber Backup Cloud as part of Acronis Cyber Cloud
- Acronis Cyber Files Cloud as part of Acronis Cyber Cloud
- Acronis Cyber Backup Advanced 12.5 with Acronis Cloud Storage subscription
- Acronis Disaster Recovery 1.0
Individual Acronis product’s functions and HIPAA compliance status can vary depending on the product and data center. Please clarify the compliance of particular product/DC from your Account manager or contact support Acronis Customer Central.
When should be a Business Associate Agreement (BAA) signed?
A Business Associate Agreement (BAA) must be in place between both the Covered Entity and the Business Associate and Business Associate and a Subcontractor to protect the confidentiality of all PHI.
- Covered Entities (Healthcare provider, Health Plan or Health Care Clearinghouse)
- Business Associates (engaged with some Covered Entity and has BAA with this Covered Entity)
Acronis signs the BAA with existing customers, or BAA can be signed together with the master agreement or product purchase.
Please note, that a BAA cannot be signed in advance!
How to use Acronis products in HIPAA-compliant way?
If you are a Covered Entity or a Business Associate and you are going to use an Acronis product for processing of the Protected Health Information (“PHI”) please do the following preparation steps in advance:
- Confirm with your account manager that the Acronis product you are going to use is HIPAA-compliant.
- Confirm with your account manager that the Acronis products utilize a HIPAA-compliant data center.
- Request a Business Associate Agreement (“BAA”) from your account manager.
After getting signed a BAA with Acronis, you should integrate the Acronis products into your company's HIPAA compliance program by revising or implementing Administrative and Technical safeguards:
- Consider the Acronis product as one of the asset within your general risk management process.
- Implement or update the set of internal policies and procedures to ensure that they cover Acronis product as well. These rules should include, among others, the following:
- Access control procedures, regulating access provisioning, modification, review and revoking. Remember that access to Acronis products must be allowed only to those which have been granted access rights. Assign different role-based access rights, including read-only accounts and/or administrative ones. Moreover, account name should be unique for each user in order to enable the identifying and tracking of activity.
- Procedures related to the regular review of records available in Acronis products, such as audit logs, access, activities and alerts reports which might be used for security incident tracking. Please find more information in the official Acronis documentation:
- Amend your disaster recovery plans by processes related to Acronis products.
- Make periodical tests of your plans and Acronis products operation. (Acronis recommends to make data restoration tests at least annually).
- Devise sanction procedures related to violations internal regulations including violations the use of Acronis products.
- Provide periodic inspections that Acronis products and other related to HIPAA are configured and used in accordance with implemented policies and procedures.
- Do not forget to revise documentation and to keep it up to date.
- Add the use of Acronis products to the awareness and training program. Make sure that all HIPAA-relevant documentation is made available to those persons, who are responsible for implementing the procedures to which the documentation pertains.
- Set up two-factor authentication in your Acronis Cyber Cloud: https://www.acronis.com/en-us/support/documentation/ManagementPortal/#43735.html
- For Acronis Backup products, the backup archives encryption mode should be configured as a machine property:
- Configure the periodical backup archive checking to validate you backup archives:
We also recommend using a combination with Acronis Notary. It could be an additional mechanism to ensure the authenticity of electronic protected health information.
- Keep Acronis and other software up to date by installing latest versions and available patches in a timely manner.
- We recommend having also a local backup, additionally to the Cloud and vice versa if you use only on-premise installation.
Please note that these measures are not exhaustive for reaching HIPAA compliance. Customers must implement a number of policies and procedures. They must separately assess all the required safeguards, depending on their context. These may include, among others, physical controls, such as workstation use and security policies, device and media controls, etc. End users must be aware of the existence of the HIPAA regulation and follow its requirements.
You can learn more about the measures which Acronis applies from its side to protect its data centers and specifically the PHI on the following links: