RedShield’s Approach to HIPAA Compliance



HIPAA was enacted to improve the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, as well as to address limitations on healthcare insurance coverage.

The HIPAA act consists of five titles, Title II, known as the Administrative Simplification (AS) provisions, focuses on the prevention of health care related fraud and abuse. This Title applies to the RedShield service as we function as a Business Associate (BA) of Covered Entities. BAs must comply with the HIPAA Security Rule and Breach Notification Rule as well as certain provisions of the HIPAA Privacy Rule.


The Security Rule

The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI) and establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.


The Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorisation.


RedShield’s HIPAA Compliance

Currently there is no HIPAA certification programme available for cloud service providers (CSP) like RedShield. However, in order to meet the HIPAA requirements applicable to our operating model, RedShield aligns our risk management program with NZISM, PCI-DSS, and ISO27000, combined these standards provide us with a rigorous framework of security controls which support adherence to the HIPAA Security Rule.


Business Associate Agreement (BAA)

Under HIPAA regulations, covered entities are required to ensure that business associates appropriately safeguard protected health information (PHI). A BAA serves as a contractual demonstration of the business associates commitment to maintain the security of PHI entrusted to it. RedShield has existing BAA’s in place with existing subscribers and is happy to discuss any requirements that you may have with regard to an agreement with your business.