Webair currently supports the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) regulations across many of its service offerings. Additionally, Webair has the ability to sign HIPAA Business Associate Agreements (BAAs) with customers. As one of the few companies offering managed Cloud services that signs HIPAA BAAs, Webair demonstrates its commitment to the proper storing and security of electronic Protected Health Information (ePHI) data for the healthcare and enterprise markets.
What is HIPAA?
- The HIPAA Act of 1996 is a federal mandate that requires specific security and privacy protections for Protected Health Information (PHI). More information around HIPAA can be found here: www.hhs.gov/ocr/privacy/index.html.
What’s the difference between HIPPA, HITECH, and the final HIPAA Omnibus Rule?
- The HITECH Act was signed into law in 2009 to promote the adoption and meaningful use of health information technology in the U.S.
- In 2013, the final HIPAA Omnibus Rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of PHI — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as covered entities under HIPAA.
Which Webair services can help facilitate HIPAA compliance for its customers?
- Colocation services offered in our New York, Los Angeles, Montreal, and Amsterdam facilities
- Bare Metal Servers offered in all of our facilities (self-managed)
- Managed and Unmanaged Private Clouds configured with our recommended security offerings
- Managed and Unmanaged Public Clouds configured with our recommended security offerings
- Cloud Storage
- IP Transit
How can I ensure I am meeting the HIPPA obligations for my organization?
- Webair signs BAA addendums with its customers who have purchased the eligible services listed above. A signed BAA should be in place between Webair and the customer prior to storing any PHI.
- Customers are responsible for configuring their applications, platforms, websites and portals in a HIPAA-compliant manner and for enforcing policies in their organizations to meet HIPAA compliance.
What industry certifications has Webair obtained to prove its HIPPA compliance?
- Webair maintains SSAE16 SOC 1 TYPE II compliance for all of its data centers.
- While there are no specific industry certifications for HIPAA compliance, Webair’s SSAE16 SOC 1 TYPE II audits do include a HIPPA Matrix attesting that Webair properly conforms to the HIPPA regulations.
- Yearly audits are performed and evaluated by an independent, third-party auditor who has issued an evaluation report that details the controls Webair has in place to meet HIPAA requirements in regards to data privacy and security.
How do I get a copy of the third party audits?
- Please contact your Webair account representative.
In what ways does Webair support HIPPA compliance in its services?
In addition to being able to sign HIPAA BAAs, Webair offers the following features to help protect data:
- Each customer is segmented into their own dedicated Virtual Local Area Networks (VLANs) for public Internet and internal communications.
- All data between shared storage platforms and customer infrastructure travels over a VLAN dedicated to the customer.
- Restricted physical access to production servers.
- Strict access control system for physical facilities and servers.
- All managed services are firewalled by default for Secure Shell (SSH) and File Transfer Protocol (FTP).
- Data uploaded to managed platforms is automatically scanned for viruses.
- Multiple types of Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Firewall, and Web Application Firewall (WAF) services are available to be added to any customer configuration.
- Distributed Denial of Service (DDoS) mitigation services are available to detect and block malicious volumetric attacks.
- Customers are provided access to NetFlow portals to view details on all traffic to/from their infrastructure
- Anti-virus software (ClamAV) available to be ran on managed platforms.
- File auditing software (Tripwire) available to be run on managed platforms.
- Configurable administrative controls available to the customer to:
- Grant explicit authorization for FTP & SSH accounts
- Audit logs for customer portal
- Reporting and audit trail of account activities on both users and content (via Tripwire)
- Formally defined and tested breach notification policy
- Training of employees on security policies and controls
- Employee access to customer data files are highly restricted
- 99.9% uptime SLA
Has Webair signed HIPAA BAAs with customers to date?
- Yes, Webair has signed BAAs with several healthcare and biotech customers to date.
Can Webair sign HIPAA BBAs with partners who are doing business with healthcare customers (e.g., covered entities or other BAs)?
- Yes, Webair has the ability to enter into a direct BAA with the partner as well as directly with the partner’s customer as needed.
How can I get more information on Webair’s HIPAA compliance and services?
- Please contact your Webair account representative. If you don’t have one, please call 1-866-WEBAIR1 and speak to someone in the sales department.