We've made understanding HIPAA easy and straight forward, the table below
presents the statutory regulations organizations are required to comply
with, and how Prestwood Data Services backup solutions help achieve these
The Administrative Simplification provisions of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA, Title II) required the
Department of Health and Human Services (HHS) to establish national
standards for electronic health care transactions and national identifiers
for providers, health plans, and employers. It also addressed the security
and privacy of health data. As the industry adopts these standards for the
efficiency and effectiveness the nation's health care system will improve
the use of electronic data interchange.
45 CFR Parts 160, 162, and 164
Health Insurance Reform: Security
Standards; Final Rule
|Statutory Compliance and
|Federal Regulation Section*
||Risk Management (R)
||Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level to comply with
||Workforce Security (R) Implement policies and procedures to
ensure that all members of its workforce have appropriate access to
ePHI, as provided under paragraph (a)(4) of this section, and to
prevent those workforce members who do not have access under
paragraph (a)(4) of this section from obtaining access to ePHI.
||Termination Procedures (A)
||Implement procedures for terminating access to ePHI when the
employment of a workforce member ends or as required by
determinations made as specified in paragraph (a)(3)(ii)(B) of this
||Contingency Plan (R) Establish (and implement as needed)
policies and procedures for responding to an emergency or other
occurrence (for example, fire, vandalism, system failure, and
natural disaster) that damages systems that contain ePHI.
||Data Backup Plan (R)
||Establish and implement procedures to create and maintain
retrievable exact copies of ePHI.
||Disaster Recovery Plan (R)
||Establish (and implement as needed) procedures to restore any
loss of data.
||Facility Access Controls (R) Implement policies and procedures
to limit physical access to its electronic information systems and
the facility or facilities in which they are housed, while ensuring
that properly authorized access is allowed.
||Data Backup and Storage (A)
||Implement policies and procedures to create a retrievable, exact
copy of ePHI, when needed, before movement of equipment.
||Access Control (R) Implement technical policies and procedures
for electronic information systems that maintain ePHI to allow
access only to those persons or software programs that have been
granted access rights as specified in Sec. 164.308(a)(4).
||Audit Controls (R) Implement hardware, software, and/or
procedural mechanisms that record and examine activity in
information systems that contain or use ePHI.
||Transmission Security (R) Implement technical security policies
and procedures measures to guard against unauthorized access to ePHI
that is being transmitted over an electronic communications network.
||Implement a mechanism to encrypt ePHI whenever deemed
||Implement policies to protect ePH from improper alteration or
||Mechanism to Authenticate Electronic PHI (A)
||Implement electronic mechanisms to corroborate that ePHI has not
been altered or destroyed in an unauthorized manner.
||Person or Entity Authentication (R) Implement procedures to
verify that a person or entity seeking access to ePHI is the one
- Organizations serious about implementing effective
backup solutions are turning to Prestwood Data Services to address HIPAA
compliance concerns. Prestwood's remote backup solution addresses many of
the shortcomings of legacy based tape solutions. Testing, changing and
transporting tapes offsite are eliminated; mitigating potential risk to
your organization. With Prestwood Remote Backup, data is encrypted and
automatically sent over the internet to remote severs without any human
interaction. Servers are managed and maintained by a professional IT
staff. Third party file management and file deletion maintains the
integrity of your data and makes accidental or malicious deletion of
your data files and backups impossible. This adds a critical layer of
protection and is far superior to services that allow deletion of the
backup by any user.
- Data is compressed and encrypted on the client's
computer prior to transmission and sent over the net through the HTTPs/
port and stored on the servers encrypted.
- The Prestwood Remote Backup software generates a
unique encryption key during installation. The user has two options to
manage their own unique encryption keys.
- The software automatically creates a copy of the key and is
securely forwarded to Prestwood Data Services for backup. Prestwood
Data Services creates two backup copies of the key. One copy is
stored off-site in a Prestwood Data Services vault. The second copy
of the key is sent to the user for their personal storage and use.
- Prestwood Remote software generates a unique encryption key
during installation. A copy of the key is automatically forwarded to
Prestwood Data Services for backup. Prestwood Data Services creates a
single copy of the key. That key is sent to the user for their
personal storage and use; but after confirming the receipt of the
key, Prestwood Data Services permanently deletes all copies of the
key. Please note: this option places sole responsibility of the
encryption key on the user. Prestwood Data Services will have no
means for producing the encryption key following its deletion. This
option requires signing a release for instructing Prestwood Data
services to destroy said key.
- The auditing feature is a unique and absolutely
critical function offered by Prestwood Data Services to ensure HIPAA
compliance to a client's back up protocol. A simple text file displaying
an application tree and the data files associated with those
applications are sent to Prestwood Data Services to ensure that all the
files that were meant to be backed up are appropriately tagged. A
Prestwood Data Services IT professional will alert the client and help
them take appropriate action if the audit reveals data files have not
been tagged or untagged for backup.
- To protect your mission-critical data, Prestwood Data
Services houses their servers in a SAS 70 Type II data center operated
and owned by Latisys. Latisys maintains a tight multi-layered security
system including electronic motion sensors, providing continuous
interior and exterior observation and 30-day retained storage of video
surveillance. The building's single entry point is outfitted with
sophisticated security sensors, vandal-resistant and bullet-proof glass,
full biometric hand scanning and CircleLock mantraps. Armed guards
monitor the data center 24/7/365.
- All Prestwood Data Services storage servers are set
up with fault tolerant RAID arrays and are configured to replicate all
client data across the servers. Each server contains redundant cooling
and power supply systems.
- The Remote Backup software allows clients to set the
amount of revisions stored on the servers. Prestwood requires clients to
provide written consent to delete any data on the servers; a user does
not have administration rights.