.svg)
.webp){kind=small}
.svg){kind=small}
Section A - Evaluating a provider’s status as a Business Associate
Evaluating the Service Provider’s Status as a HIPAA Compliant Entity
The service provider is capable of executing a Business Associate Agreement (BAA)
Vendors or service providers whose work requires them to handle PHI for a HIPAA covered entity must be able to sign and execute a BAA. Even if the provider’s platform does support the requirements necessary for satisfying HIPAA, the BAA must be in effect before your organization can be in compliance with HIPAA. Often a provider’s terms of service may clarify if and how the entity can execute a BAA.
The service provider can satisfy your specific HIPAA use case
Before executing a BAA, confirm with the provider that your specific HIPAA use case can be satisfied using their service. For example, a service like Slack is not sanctioned for communication between patients and healthcare providers but is suited for communication between providers. An organization seeking to use Slack to communicate with patients would not have an appropriate use case, even though the application serves other HIPAA compliant use cases.
Section B - Evaluating proper implementation of security controls
Implementing HIPAA Security Rule Technical Safeguards
Adopt the appropriate product or tier of service
SaaS applications can offer a variety of service tiers, however, not all of them may allow for the configurations or controls needed to maintain HIPAA compliance while using the application. Ensure that your organization purchases the tier or product(s) required for HIPAA compliance.
Successfully implement the appropriate audit controls
HIPAA covered entities leveraging digital technologies for sharing and storing ePHI must have mechanisms to record and examine access and other activities within systems that contain or use ePHI. Such mechanisms may be offered by the service provider or through marketplaces managed by the service provider. These can include (but are not limited to):
- Audit Logs
- Security Information and Event Management (SIEM)
- Data Loss Prevention (DLP)
Ensure administrative and physical safeguards are in place
The above items ensure your organization is compliant with the HIPAA Security Rule technical safeguards for ePHI. Beyond the HIPAA Security Rule technical safeguards, implementing facility and device level policies are essential. Make sure these are in place regardless of whether you adopt SaaS applications. Learn more here.
Successfully implement the appropriate access controls
HIPAA covered entities leveraging digital technologies for sharing and storing ePHI must have policies and solutions in place that limit access exclusively to authorized persons. Such solutions may be offered by the service provider or through marketplaces managed by the service provider. These can include (but are not limited to):
- Single Sign-on (SSO)
- Multi-factor Authentication (MFA)
- Data Loss Prevention (DLP)
Successfully implement the appropriate integrity controls and ensure transmission security
Successfully implement the appropriate integrity controls and ensure transmission security
- Encryption at rest
- Encryption in transit
- Backup/Archival
You can download a pdf of our guide here.
Protected Health Information (PHI) detector for digital healthcare
Cloud healthcare data is growing at a tremendous rate. To scale security and compliance, organizations need a platform that will securely manage the collection and analysis of sensitive PHI across all of their cloud applications. The Nightfall PHI detector uses AI to accurately identify the exposure of patient data with maximum accuracy and relevance. In contrast to competitive solutions, which rely on noisy single-entity regex and heuristic-based alerting, our multi-dimensional ML-based detection delivers superior accuracy and relevancy. Zero-in on inappropriate PHI disclosures (exactly as defined by HIPAA) and leverage high context, accurate alerts to maintain HIPAA compliance without headaches.
Discover
Integrate in minutes with cloud apps to detect sensitive PHI in 150+ file types, including images.
Classify
ML-based logic includes 18 healthcare-related detectors and PII detectors
Protect
Real-time alerts and automated remediation. End user education, with customized notifications.
Key Features
- Easy to use, low overhead. Use automation to reduce time spent on security and compliance maintenance.
- Nightfall's agentless integration simplifies security and means no overhead managing devices or latency.
- Detection is ML powered for high accuracy and reducing false positives. Out of the box detection for: PII, PHI, PCI, secrets, credentials, and much more.
- Out-of-the-box support for leading cloud apps, enabling management of all your data from one singular location.
- Leverage context-rich reports to show auditors proactive management of sensitive data.
You can download a pdf of our guide here.
.svg)
.svg)
.svg)
.svg){kind=small}
.svg){kind=small}
