What is HIPAA?
HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act. It is legislation that mandates data privacy and security provisions for the safeguarding of patient data by health organizations, including drugstores, hospitals, and specialized insurance companies. This law was further amended in 2009 to include the HITECH Act (The Health Information Technology for Economic and Clinical Health). The act states that Protected Health Information (PHI) must be rendered “unusable, unreadable, or indecipherable” to unauthorized persons and that encryption for data ‘at-rest’ and ‘inflight’ should be addressed.
HIPPA contains three main rules:
- HIPAA Privacy Rule: dictates the proper uses and disclosures of PHI
- HIPAA Security Rule: requires organizations to implement measures to ensure the confidentiality, integrity, and availability of PHI
- HIPAA Breach Notification Rule: requires organizations to report breaches that affect PHI
How Magnus Box is HIPAA compliant?
The HIPAA Security Rule requires that Magnus Box implement safeguards to keep protected health information (PHI) secure. To meet our security requirements, we implement administrative, technical, and physical safeguards. Some of these measures include encryption, user authentication, access controls, audit trails, data backup, and disaster recovery.
Magnus Box always encrypts all user data before sending or storing it, using strong AES-256-CTR with Poly1305 in AEAD mode with high-entropy random keys. The user's password is used to derive two 192-bit keys (the "L" and "R" keys) via PBKDF2-SHA512, with hard-coded parameters for repeatable output.
- The L-key is used for logging in to the Auth Role server in place of the real password; the server stores only a bcrypt(sha512) hash of this L-key.
- The R-key never leaves the client and is used to encrypt secret keys stored within the user's profile on the server.
When Magnus Box sets up a Storage Vault for the first time, it generates two high-entropy random keys (the 256-bit "A" and 128-bit "E" keys). All user data in the Storage Vault is stored encrypted with the A-key using AES-256 in CTR mode and authenticated using Poly1305 in AEAD (encrypt-then-MAC) mode. The only party with the decryption key is your company/the backup user. This ensures total privacy of the PHI data.
All Magnus Box vendors have a signed BAA on file with Magnus Box and are reviewed yearly as part of our overall compliance program.
What is a Business Associate Addendum (BAA)
Under the Health Insurance Portability and Accountability Act (HIPAA), a "business associate" is a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity and isn’t employed by the covered entity. A "business associate" also includes a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
The HIPAA rules generally require that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.
Do I need to sign a BAA with Magnus Box?
Absolutely. If you are pushing PH to Magnus Box, it is actually considered a HIPAA violation if you are pushing PHI to Magnus Box and don't have a BAA on file. You can get a signed BAA by emailing [email protected] or by clicking this link which will take you right to the Magnus Box HIPAA BAA.
Why do I need a BAA?
Without a signed Business Associate Agreement (BAA) our service cannot be used in compliance with HIPAA. This is because as a HIPAA Business Associate contracted by your organization, we have the potential to access protected health information (PHI). HIPAA requires us to have a signed BAA in place with you before you can use our service.
Does Magnus Box Conduct a Security Risk Assessment?
Yes, as a Business Associate, we are required to conduct an annual security risk assessment (SRA) as part of our HIPAA compliance. SRAs identify deficiencies in security practices, allowing us to implement measures to improve our security and prevent breaches.
What is the HIPPA Seal of Compliance?
There is no official certification of HIPAA compliance, but Magnus Box has partnered with a third-party company to ensure we are doing everything right and, after completing their program, received their Seal as proof of our good faith effort. The Seal of Compliance verifies and validates our efforts to comply with HIPAA. If you have any questions about Magnus Box and how we abide by HIPPA, please email [email protected].