The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to "covered entities" and "business associates." Covered entities include health care providers engaged in certain electronic transactions, health plans, and health care clearinghouses. Business associates are entities that provide services to a covered entity that involve access by the business associate to Protected Health Information (PHI), as well as entities that create, receive, maintain, or transmit PHI on behalf of another business associate. HIPAA was expanded in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For additional information on HIPAA and HITECH, visit http://www.hhs.gov/ocr/privacy/.
Paubox uses Amazon Web Services (AWS) as its HIPAA compliant cloud platform. As such, the Paubox/AWS platform provides industry recognized certifications and audits such as ISO 27001, FedRAMP, and the Service Organization Control Reports (SOC1, SOC2, and SOC3).
The Paubox/AWS platform also meets the requirements set forth by GDPR. This includes GDPR-compliant Data Processing Addendum (DPA), and adherence and compliance with the CISPE Code of Conduct as a mechanism for demonstrating sufficient guarantees of requirements that GDPR places on data processors.
Encryption and protection of PHI in Paubox
The HIPAA Security Rule includes addressable implementation specifications for the encryption of PHI in transmission ("in-transit") and in storage ("at-rest"). Paubox encrypts PHI in accordance with guidance from the Secretary of Health and Human Services (HHS), " Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals."
Paubox offers a comprehensive set of features and services to make key management and encryption of PHI easy to manage and simpler to audit, including the Key Management Service (KMS). Master keys in KMS can be used to encrypt/decrypt data encryption keys used to encrypt customer PHI. Data encryption keys are protected by customer master keys stored in KMS, creating a highly auditable key hierarchy as API calls to KMS are logged.
All Paubox network traffic, whether it contains PHI or not, is encrypted using industry-standard transport encryption (TLS). Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS 1.2 and 1.3 protocols ensure that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). SSLv2, SSLv3, TLS 1.0, and TLS 1.1 are no longer considered secure protocols and thus are not used or supported by Paubox.
Paubox implements a set of network security features that are well aligned for HIPAA compliance. Features such as stateless network access control lists and dynamic reassignment of Paubox instances into stateful security groups provide flexibility in protecting Paubox from unauthorized network access. Paubox Flow Logs provide an audit trail of accepted and rejected connections to instances processing, transmitting or storing PHI.
Paubox encryption at rest is consistent with HIPAA guidance that is currently in effect. With Paubox at rest encryption, a unique volume encryption key is generated for each Paubox disk volume (hard drive).
Auditing, backups, and disaster recovery
HIPAA's Security Rule also requires in-depth auditing capabilities, data back-up procedures, and disaster recovery mechanisms. This section covers how Paubox addresses those requirements.
To be consistent with HIPAA and HITECH requirements, Paubox has put auditing capabilities in place to allow security analysts to examine detailed activity logs or reports to see who had access, IP address entry, what data was accessed, etc. This data is tracked, logged, and stored in a central location for extended periods of time, in case of an audit.
Under HIPAA, covered entities must have a contingency plan to protect data in case of an emergency and must create and maintain retrievable exact copies of electronic PHI. To implement a data back-up plan, Paubox uses persistent storage for its server instances. These volumes offer off-instance storage that persists independently from the life of a server instance. To align with HIPAA guidelines, Paubox creates point-in-time snapshots of its volumes that automatically are replicated across multiple Availability Zones, which are distinct locations engineered to be insulated from failures in other Availability Zones. These snapshots can be accessed at any time and can protect data for long-term durability. Paubox also provides a highly available solution for data storage and automated backups. Multiple redundant copies of Paubox backups are automatically created and stored in separate data centers. These snapshots and backups can be accessed at any time, from anywhere (based on permissions), and are stored until intentionally deleted.
Disaster recovery, the process of protecting an organization's data and IT infrastructure in times of disaster, is typically one of the more expensive HIPAA requirements to comply with. This involves maintaining highly available systems, keeping both the data and system replicated off-site, and enabling continuous access to both. Paubox implements a variety of disaster recovery mechanisms.
Paubox administrators can start server instances very quickly and can use an Elastic IP address (a static IP address for the cloud computing environment) for graceful failover from one machine to another. Paubox also offers Availability Zones. Paubox administrators can launch server instances in multiple Availability Zones to create geographically diverse, fault tolerant systems that are highly resilient in the event of network failures, natural disasters, and most other probable sources of downtime. Using Paubox, a customer's data is replicated and automatically stored in separate data centers to provide reliable data storage designed to provide 99.99% availability.
While there is no single certification for HIPAA compliance, HITRUST is recognized as a gold standard within healthcare. HITRUST CSF Certified status demonstrates that our Encrypted Email, Secure Email API, Email DLP Suite and Inbound Security solutions have met key regulatory requirements and industry-defined requirements and is appropriately managing risk.
For more information, click here.
How can you contact us about this policy?
If you have any questions or comments about this policy, you may contact our Data Protection Officer (DPO), Rick Kuwahara by email at firstname.lastname@example.org, or by post to:
5 Third Street, 324
San Francisco, CA 94103