While there aren't official HIPAA compliance guidelines for data centers, there are several resources you can look to. Most notably, the Office of the Inspector General of the Department of Health and Human Services published a series of pointers toward security specifications for Medicaid. These specifications are what auditors use to validate covered entities for HIPAA.
Similarly, The Centers for Medicare and Medicaid Services (CMS) published a series of white papers that provide additional insight into the HIPAA Security Final Rule which cover the gamut from physical security controls to risk management to technical controls.
More information about HIPAA in general, as well as other Federal Health and IT related information, can be found at the Department of Health and Human Services website.
Finally, CMS has published the Sample - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews, which, as the title implies, presents an idea of what to expect in an audit at the highest level.
For more information:
- What are the differences between an SAS 70 data center and a Tier III data center? Read more.
- Read more about who has rights to patient information under HIPAA.
This was first published in July 2009