What is a HIPAA Compliant Data Conversion?


December 4th, 2020

When healthcare entities convert data from one platform to another, the process must be secure. Find out what constitutes a HIPAA compliant data conversion.

hipaa compliant data conversion

As a healthcare organization, you’re well aware of HIPAA and its mandates regarding protected healthcare information (PHI). You likely have processes in place to ensure compliance when sharing, moving, or storing PHI data. But what about when you convert data from one platform to another? The process must be a HIPAA compliant data conversion.

What makes a data conversion HIPAA compliant? Let’s find out.

The HIPAA Security Rule

The HIPAA Security Rule establishes standards to protect the creation, reception, use, or maintenance of PHI. Three mechanisms must be in place to do this: appropriate administrative, physical, and technical safeguards. To meet those standards in a data conversion, you, your data conversion provider, and software vendor must take certain actions.

HIPAA Compliant Data Conversion Considerations

Before you begin your data conversion, there are several considerations for you and your partners to ensure compliance.

HIPAA Business Association Agreement

According to the U.S. Department of Health and Human Services (HHS), any individual or entity that accesses PHI on your behalf is a business associate. Thus, you’ll need a HIPAA Business Associate Agreement (BAA) with all parties. The access data includes electronic transmissions. If providers you’re considering working with don’t begin conversations about a BAA, this could be a red flag.


hipaa compliant data conversion data encryption

HIPAA does not explicitly state the use of encryption in PHI transfer. Rather, the HIPAA Security Rule states it must be secure. Encryption is not a requirement but an “addressable” implementation. Addressable means that you must act if a risk assessment reveals its necessity.

Even without specific language, encryption fulfills the technical safeguards requirement. However, not all encryption is the same. HIPAA doesn’t define the type of encryption, so it’s open to interpretation.  

The National Institute of Standards and Technology (NIST) recommends using Advanced Encryption Standard (AES) at 128-, 192-, or 256-bit encryption. The number expresses the key length used for encryption and decryption. AES 256-bit is the strongest type of encryption

Also, keep in mind that the encryption must be end to end, not just active during transmission.

Two-Factor Authentication

When your BAA partners access your PHI, they should employ two-factor authorization. This adds another layer of security. Access will require more than just a password. An additional pin or piece of information is necessary to retrieve the data.

HIPAA Awareness and Training

It’s a good idea to make sure your partners know more about HIPAA than just sending you the BAA. Ideally, they’ll have compliance experts on staff that monitor the operations of your data conversion. It’s also a best practice for their employees to participate in yearly HIPAA compliance training.

Data Center Certifications

Your data conversion provider uses colocation data centers to store data in its cloud. Everything’s in the cloud now, no longer in physical servers on-site. However, you need to know about the certifications and security protocols of the data center. Ideally, the certifications will be more robust than just HIPAA compliant, such as HITRUST CSF, SOC 1, 2, & Type 2, and NIST 800-53. Enquire about this during an initial discussion.

Data Breaches and HIPAA Violations

Data breaches in healthcare are, unfortunately, an ongoing concern. Even with HIPAA compliant practices, an incident can still occur. It’s a good idea to ask about any previous data breaches and if they were the result of a HIPAA violation.

Have Questions about a HIPAA Compliant Data Conversion?

If you still have questions regarding a HIPAA compliant data conversion, you can contact our experts. Also, check out the data security protocols we have in place, which go above and beyond HIPAA requirements.

< Return to Blog Page