What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act of 1996) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyber-attacks and ransomware attacks on health insurers and providers.

What is HIPAA compliance?

HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and HIPAA Omnibus Rule

HIPAA compliance is a constant process, which covers many different activities and measures like policies, procedures, technical controls, and awareness raising programs. These must be implemented beside the products used.

NOTE! This article does not aim to give you legal advice and does not cover Customer’s obligations which are not related to Acronis SCS products. This article intends to help you adjust the internal processes and use of Acronis SCS products in a HIPAA-compliant way. Acronis SCS Customers are solely responsible for evaluating and fulfilling their own legal and compliance obligations under HIPAA, as well as for using Acronis SCS products and services in an appropriate manner under the HIPAA requirements.

Who is affected by HIPAA?

There are 3 groups of stakeholders:

1. Covered Entity (a health care organization)

Examples of covered entities

• Health Plan – An individual or group plan that provides or pays the cost of medical care   Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, that would facilitate the processing of health information received from another entity. Health Care Provider – A provider of Health care services
• Health Care – Care services, or supplies related to the health of an individual, including
• preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with   respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body.
• sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
1. A Business Associate (person or organization which provides a service to covered entities and may have access to patients' personal information);
   Examples of business associates
• E.g., lawyers, accountants, IT contractors, billing companies, MSP, other cloud storage services, email encryption services, etc.
2. Optional: A Subcontractor (person or organization that use the PHI of Business Associate to carry out additional work for the Business Associate or Covered Entity).

Acronis SCS may be either a business associate or a subcontractor.

Is Acronis SCS Cyber Protect Cloud HIPAA-certified?

There is no official, legally recognized HIPAA compliance certification process or accreditation. However, Acronis SCS Cyber Protect Cloud adheres to HIPAA compliance requirements and provides a secure infrastructure to store ePHI.

When should be a Business Associate Agreement (BAA) signed?

A Business Associate Agreement (BAA) must be in place between both the Covered Entity and the Business Associate and Business Associate and a Subcontractor to protect the confidentiality of all PHI.

Acronis SCS signs BAAs with:

• Covered Entities (Healthcare provider, Health Plan or Health Care Clearinghouse)
  
  
• Business Associates (MSP) engaged with some Covered Entity and has BAA with this Covered Entity)
  
  

How to use Acronis SCS products in HIPAA-compliant way?

If you are a Covered Entity or a Business Associate and you are going to use Acronis SCS Cyber Protect Cloud for processing of the Protected Health Information (“PHI”) the following items are required:

1. Contact your Acronis SCS account manager to discuss your HIPAA compliance requirements.
2. Request a Business Associate Agreement (“BAA”) from your account manager. Note: Acronis SCS requires that all backups are encrypted, and any violation of the agreement can include termination of services.

After getting signed a BAA with Acronis SCS, you can begin integrating Acronis SCS Cyber Protect Cloud into your company's HIPAA compliance program.

If using Cloud-to-Cloud (C2C) services such as Google Workspace or Microsoft Office 365 the Covered Entity or Business Associate must sign a BAA with the external service.

Customer Responsibilities

While Acronis SCS provides a secure and compliant infrastructure for the storage and processing of PHI, the customer is responsible for ensuring that Acronis SCS Cyber Protect Cloud is properly configured and secured according to HIPAA requirements. Acronis SCS partners and end users my implement the following administrative and technical safeguards to adhere to those requirements.

Administrative

1. Execute an Acronis SCS Business Associate Agreement or Subcontractor Agreement.
1. If using C2C, execute a BAA with any HIPAA cloud services.
2. Implement or update the set of internal policies and procedures to ensure they cover Acronis SCS Cyber Protect Cloud as well. These rules should include, among others, the following:

• Access control procedures, regulating access provisioning, modification, review and revoking.
• Access to Acronis SCS Cyber Protect Cloud must be allowed only to those which have been granted access rights.
• Assign different role-based access rights, including read-only accounts and/or administrative accounts.
• Account names should be unique for each user to enable the identifying and tracking of activities.
• Procedures related to the regular review of records available in Acronis SCS products, such as audit logs, access, activities, and alerts reports which might be used for security incident tracking. Please find more information in the official Acronis SCS documentation:

• Company Administrator Guide
• https://www.acronis.com/en-us/support/documentation/SCSCyberCloudAdmin/#audit-log.html
• https://www.acronis.com/en-us/support/documentation/SCSCyberCloudAdmin/#reporting.html
• Partner Guide
• https://www.acronis.com/en-us/support/documentation/SCSCyberCloudPartner/#audit-log.html
• https://www.acronis.com/en-us/support/documentation/SCSCyberCloudPartner/#reporting.html

• Update your disaster recovery plans by processes related to Acronis SCS Cyber Protect Cloud
• Make periodical tests of your plans and Acronis SCS products operation. (Acronis SCS recommends making data restoration tests at least annually).
• Devise sanction procedures related to violations internal regulations including violations the use of Acronis SCS products.

1. Provide periodic inspections that Acronis SCS products and other related to HIPAA are configured and used in accordance with implemented policies and procedures.
2. Revise policies and procedures annually or upon any significant changes.
3. Add the use of Acronis SCS products to the awareness and training program. Make sure that all HIPAA-relevant documentation is made available to those persons, who are responsible for implementing the procedures to which the documentation pertains.

Technical

1. Enable two-factor authentication for your accounts:
• User Guide: https://www.acronis.com/en-us/support/documentation/SCSCyberCloudUser/#two-factor-authentication.html
• Partner Guide: https://www.acronis.com/en-us/support/documentation/SCSCyberCloudPartner/#setting-up-two-factor-authentication.html
• Company Administrator Guide: https://www.acronis.com/en-us/support/documentation/SCSCyberCloudAdmin/#setting-up-two-factor-authentication.html
2. All backups must be encrypted by one of the following:
1. Enhanced security mode requires mandatory AES-256 encryption for all backups and only allows locally set encryption passwords.
• User Guide: https://www.acronis.com/en-us/support/documentation/SCSCyberCloudUser/#enhanced-security-mode.html
• Partner Guide: https://www.acronis.com/en-us/support/documentation/SCSCyberCloudPartner/#enhanced-security-mode.html
2. Setting a protection plan with encryption enabled.
• User Guide: https://www.acronis.com/en-us/support/documentation/SCSCyberCloudUser/#encryption.html  
3. Configure the periodical backup archive checking to validate your backup archives.
• User Guide: https://www.acronis.com/en-us/support/documentation/SCSCyberCloudUser/#validation.html

1. Keep Acronis SCS Cyber Protect Cloud and other software up to date by installing the latest available patches in a timely manner.
2. Follow the 3-2-1 backup rule with their critical data, by having 3 copies of data, on 2 different types of media, with at least 1 copy off-site.

Please note that these measures are not exhaustive for reaching HIPAA compliance. Customers must implement several policies and procedures.  They must separately assess all the required safeguards, depending on their context. These may include, among others, physical controls, such as workstation use and security policies, device, and media controls, etc. End users must be aware of the existence of the HIPAA regulation and follow its requirements.