VMware vCloud Air – HIPAA Matrix
VMware vCloud Air goes to great lengths to ensure the security and availability of vCloud Air
services. In this effort VMware has completed an independent third party examination of
vCloud Air against applicable regulatory requirements of of HIPAA to service the needs and
requirements of our Healthcare Industry customers.
To help customers comply with HIPAA, VMware offers a Business Associate Agreement (BAA) to
all interested customers using our US-‐based data centers. The BAA was designed in conjunction
with a leading law firm with expertise in HIPAA and provides fair and reasonable terms for
healthcare providers, insurers, and other organizations.
A high-‐level overview of this program is available online:
http://www.vmware.com/files/pdf/vcloud-‐air/hipaa-‐hitech-‐compliance-‐using-‐vmware-‐vcloud-‐air.pdf
This document serves as a detailed account of the controls outlined in the vCloud Air
Information Security Management System as it relates to HIPAA requirements.
The Information Security Management System (ISMS) governing the vCloud Air service
addresses essential elements of the HIPAA Security Rule and the HITECH Act. The criteria used in
making this assertion were the information security program detail, and applicable control
implementation guidance, located in the HIPAA Security Rule and HITECH requirement
documentation.
These controls include the following standards and specifications:
• Administrative Safeguards;
• Physical Safeguards;
• Technical Safeguards and
• Breach Notification
This matrix includes all of the HIPAA and HITECH regulations that vCloud Air has been assessed
against by an independent third-‐party audit firm. This matrix is a tool that can assist your
organization in quickly identifying the applicable regulations that the vCloud Air service is in
compliance with and the control activity that satisfy those regulations.
**DISCLAIMER The scope of the vCloud Air HIPAA assessment and of this document is strictly
limited to the regulations as they apply to VMware delivering the vCloud Air service. Any
regulations listed with an “N/A” are regulations deemed to be outside the scope of VMware’s
responsibility. All regulations applicable to covered entities are assumed to be the customer’s
responsibility. This matrix should be used as guidance only and is not a guarantee that a
customer is in compliance with the HIPAA regulations based on vCloud Air’s assessment against
the HIPAA and HITECH regulations.
To request a copy of the vCloud Air HIPAA assessment report, please contact your VMware
salesperson.
Regulation Control Activity
Administrative Safeguards
164.308(a)(1)(i) Standard: Security Management Process. A covered entity or business associate must implement policies and procedures to prevent, detect, contain,
and correct security violations.
vCloud Air has documented policies and procedures in place to guide personnel in security practices, including but not limited to information security policy, access
control policy and a risk management framework.
164.308(a)(1)(ii)(A) A covered entity or business associate must conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity,
and availability of electronic protected health
information held by the covered entity or business
associate.
Documented policies and procedures are in place to guide personnel in performing risk assessments on a periodic basis.
164.308(a)(1)(ii)(B) A covered entity or business associate must
implement security measures sufficient to
reduce risks and vulnerabilities to a
reasonable and appropriate level to comply with § 164.306(a).
A risk assessment is conducted on at least an annual basis. Additionally, information technology security awareness and HIPAA privacy awareness training programs are in place to communicate VMware security and HIPAA privacy policies to employees on an
annual basis.
164.308(a)(1)(ii)(C) A covered entity or business associate must
apply appropriate sanctions against workforce members who
fail to comply with the security policies and procedures of the covered
entity or business associate.
Documented HIPAA violation sanction policies and procedures are in place to guide compliance personnel in applying sanctions to employees who fail to comply with
security policies.
164.308(a)(1)(ii)(D)
A covered entity or business associate must implement procedures to regularly review records of information system activity such as audit logs, access
reports, and security incident tracking.
Security monitoring applications and manual reviews are used to monitor and analyze in-‐scope systems. Tracking tools for incidents are in place and user access reviews are
regularly performed to help ensure that access to data is restricted to authorized personnel.
164.308(a)(2) A covered entity or business associate must identify the security official
who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or
business associate.
The vice president of information security is designated to develop, maintain, review, and approve the security policies.
164.308(a)(3)(i) Standard: Workforce Security. A covered entity or business associate must implement policies and procedures to ensure that
all members of its workforce have appropriate access to EPHI,
as provided under
§164.308(a)(4), and to prevent those workforce members who do not have
access from obtaining access to EPHI.
Documented policies and procedures are in place to guide personnel in adding new users, modifying access levels, and removing users who no longer need access. User access reviews are regularly performed to help ensure that access to data is restricted
to authorized personnel.
164.308(a)(3)(ii)(A) A covered entity or business associate must implement procedures for
the authorization and/or supervision of workforce members who work with EPHI or in locations where
it might be accessed.
Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during
employment are also documented via a ticketing system.
164.308(a)(3)(ii)(B) A covered entity or business associate must implement procedures to determine that the access of a workforce member to
EPHI is appropriate.
Documented access authorization policies are in place to guide personnel in granting access to electronic protected health information. User access reviews are regularly
performed to help ensure that access to data is restricted to authorized personnel.
164.308(a)(3)(ii)(C)
Documented policies and procedures are in place to guide personnel in removing
A covered entity or business associate must implement procedures for terminating access to EPHI when the employment of,
or other arrangement with, a workforce member
ends or as required by determinations made as
specified in paragraph (a)(3)(ii)(B).
access for terminated employees.
164.308(a)(4)(i)
Standard: Information Access Management. A covered entity or business associate must implement policies and procedures for authorizing access to EPHI
that are consistent with the applicable requirements of subpart E
of this part.
Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during
employment are also documented via a ticketing system.
164.308(a)(4)(ii)(A)
If a health care clearinghouse is part of a
larger organization, the clearinghouse must implement policies and procedures that protect EPHI of the clearinghouse from unauthorized access by the larger organization.
N/A
164.308(a)(4)(ii)(B)
A covered entity or business associate must
implement policies and procedures for granting
access to EPHI, for example, through access
to a workstation, transaction, program,
process or other mechanism.
Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during
employment are also documented via a ticketing system.
164.308(a)(4)(ii)(C)
A covered entity or business associate must
implement policies and procedures that, based upon the covered entity’s
or business associate’s
Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during
employment are also documented via a ticketing system. A termination form is completed and access revoked for employees as a component of the employee
termination process.
access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or
process.
164.308(a)(5)(i)
Standard: Security Awareness Training: A covered entity or business associate must implement a security awareness and
training program for all members of its workforce
(including management).
A security awareness training program is in place to communicate the security obligations of internal users and employees are required to complete training annually.
164.308(a)(5)(ii)(A)
A covered entity or business associate must
provide periodic information security
updates.
The VMware information technology security group monitors the security impact of potential security vulnerabilities and emerging technologies, and the impact of
applicable laws or regulations are considered by senior management.
164.308(a)(5)(ii)(B)
A covered entity or business associate must implement procedures for
guarding against, detecting, and reporting
malicious software.
A central antivirus server is configured with antivirus software to protect registered production Windows and Mac workstations and Windows production servers.
164.308(a)(5)(ii)(C)
A covered entity or business associate must implement procedures for monitoring login attempts
and reporting discrepancies.
Security monitoring applications and manual reviews by the security operations personnel are utilized to monitor and analyze the in-‐scope systems for possible or
actual security breaches.
164.308(a)(5)(ii)(D)
A covered entity or business associate must implement procedures for
creating, changing, and safeguarding passwords.
The in-‐scope systems are configured to enforce predefined user account and minimum password requirements.
164.308(a)(6)(i)
Standard: Security Incident Procedures: A covered
entity or business associate must implement policies and procedures to
Documented incident response policies and procedures for reporting security incidents are in place to guide personnel in identifying, reporting, and acting upon system
security incidents.
address security incidents.
164.308(a)(6)(ii)
A covered entity or business associate must
identify and respond to suspected or known
security incidents;
mitigate, to the extent practicable, the harmful
effects of security incidents that are known
to the covered entity or business associate; and
document security incidents and their
outcomes.
Documented incident response policies and procedures are in place to guide personnel in responding to suspected security incidents and to mitigate the effects of any security
incidents.
164.308(a)(7)(i)
Standard: Contingency Plan: A covered entity or
business associate must establish (and implement
as needed) policies and procedures for responding
to an emergency or other occurrence (for example, fire, vandalism, system
failure, and natural disaster) that damages systems that contain EPHI.
Disaster recovery plans are in place and tested regularly to guide personnel in procedures to protect against disruptions caused by an unexpected event.
164.308(a)(7)(ii)(A)
A covered entity or business associate must establish and implement procedures to create and maintain retrievable exact
copies of EPHI.
An automated backup system is in place to perform scheduled backups of production data and systems on a daily basis. IT operations personnel perform backup media
restores as a component of normal business operations to verify that system components can be recovered from system backups.
164.308(a)(7)(ii)(B)
A covered entity or business associate must establish (and implement as needed) procedures to restore any loss data.
Documented disaster recovery plans are in place to guide personnel in restoring lost data.
164.308(a)(7)(ii)(C)
A covered entity or business associate must establish (and implement as needed) procedures to enable continuation of critical business processes
Documented contingency plans are in place to guide personnel in the continuation of critical business processes for protection of the security of electronic protected health
information while operating in emergency mode.
and for protection of the security of EPHI while operating in emergency
mode.
164.308(a)(7)(ii)(D)
A covered entity or business associate must implement procedures for
periodic testing and revision of contingency
plans.
Disaster recovery plans are in place and tested regularly to guide personnel in procedures to protect against disruptions caused by an unexpected event.
164.308(a)(7)(ii)(E)
A covered entity or business associate must
assess the relative criticality of specific applications and data in
support of other contingency plan components.
Business continuity and disaster recovery plans are documented and include criticality assessments of applications and data to support the contingency plan.
164.308(a)(8)
Standard: Evaluation. A covered entity or business
associate must perform a periodic technical and nontechnical evaluation,
based initially upon the standards implemented under this rule and, subsequently, in response
to environmental or operational changes affecting the security of EPHI, that establishes the extent to which a covered
entity's or business associate's security policies
and
procedures meet the requirements of this
subpart.
A risk assessment is conducted on at least an annual basis and policies and procedures are updated periodically based on results of operational and environment risk
assessments.
164.308(b)(1)
A covered entity may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity’s behalf only if the covered entity
obtains satisfactory assurances, in accordance
N/A
with §164.314(a) that the business associate or subcontractor business
associate will appropriately safeguard the information. A covered
entity is not required to obtain such satisfactory assurances from a business
associate that is a subcontractor.
164.308(b)(2)
A business associate may permit a business associate that is a subcontractor to create,
receive, maintain, or transmit EPHI on its behalf
only if the business associate obtains satisfactory assurances, in
accordance with
§ 164.314(a), that the subcontractor will appropriately safeguard
the information.
Nondisclosure agreements are utilized to document requirements for handling personal information by third parties.
164.308(b)(3) Document the satisfactory
assurances required by paragraph (b)(1) or (b)(2)
of this section through a written contract or other arrangement with the business associate that
meets the applicable requirements of
§ 164.314(a).
N/A
Physical Safeguards
164.310(a)(1)(i)
Standard: Facility Access Control. A covered entity or business associate must
implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized
access is allowed.
Documented policies and procedures are in place for physical access to help ensure that properly authorized access is allowed to electronic information systems.
164.310(a)(2)(i)
A covered entity or business associate must establish (and implement
as needed) procedures that allow facility access in
support of restoration of lost data under the disaster recovery plan and
emergency mode operations plan in the event of an emergency.
Disaster recovery plans are in place and tested regularly to guide personnel in procedures to protect against disruptions caused by an unexpected event.
164.310(a)(2)(ii)
A covered entity or business associate must
implement policies and procedures to safeguard
the facility and the equipment therein from
unauthorized physical access, tampering, and
theft.
Documented policies and procedures are in place for physical access to help ensure that properly authorized access is allowed to electronic information systems.
164.310(a)(2)(iii)
A covered entity or business associate must implement procedures to
control and validate a person’s access to facilities
based on their role or function, including visitor
control, and control of access to software programs for testing and
revision.
Procedures are in place to control and validate access to facilities based on role or function, including visitor control, and control of access to software programs for
testing and revision.
164.310(a)(2)(iv)
A covered entity or business associate must
implement policies and procedures to document repairs and modifications
to the physical components of a facility,
which are related to security (for example, hardware, walls, doors,
and locks).
Documented policies and procedures are in place to document repairs and modifications to the physical components of a facility, which are related to security (for
example, hardware, walls, doors, and locks).
164.310(b)
Standard: Workstation Use. A covered entity or
Personnel are required to adhere to acceptable use policies while performing respective job duties. Additionally, policies and procedures are in place to guide personnel in workstation security to apply appropriate protection to unattended
business associate must implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of
workstation that can access EPHI.
equipment.
164.310(c)
Standard: Workstation Security. A covered entity or business associate must
implement physical safeguards for all workstations that access EPHI to restrict access to
authorized users.
Documented policies and procedures are in place to guide personnel in workstation security and usage. Additionally, documented physical access policies and procedures
are in place to guide personnel in physical security practices.
164.310(d)(1)
Standard: Device and Media Controls. A covered
entity or business associate must implement
policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out
of a facility, and the movement of these items
within the facility.
Documented hardware and media accountability policies and procedures are in place to guide personnel in device and media control practices.
164.310(d)(2)(i)
A covered entity or business associate must
implement policies and procedures to address final
disposition of EPHI, and/or hardware or electronic
media on which it is stored.
A documented media disposal policy is in place to guide personnel in the disposal of sensitive data and information.
164.310(d)(2)(ii)
A covered entity or business associate must implement procedures for
removal of EPHI from electronic media before the media are available for
A documented media re-‐use policy is in place to guide personnel in media re-‐use practices.
reuse.
164.310(d)(2)(iii)
A covered entity or business associate must maintain a record of the movements of hardware and electronic media and the person responsible for
its movement.
VMware IT management maintains and inventory listing to track movement of hardware and electronic media. Documented policies and procedure are in place to guide personnel in asset security during movements of hardware and electronic media.
164.310(d)(2)(iv)
A covered entity or business associate must create a retrievable, exact
copy of EPHI, when needed, before movement
of equipment.
An automated backup system is in place to perform scheduled backups of production data and systems on a daily basis. IT operations personnel also perform backup media
restores as a component of normal business operations to verify that system components can be recovered from system backups.
Technical Safeguards
164.312(a)(1)
Standard: Access Control.
A covered entity or business associate must
implement technical policies and procedures for
electronic information systems that maintain EPHI
to allow access only to those persons or software
programs that have been granted access rights as
specified in Sec.
164.308(a)(4).
Documented policies and procedures are in place to guide personnel in limiting access control to only those persons or systems that have been granted access. Additionally, administrative access privileges to the in-‐scope systems are restricted to user accounts
accessible by authorized personnel.
164.312(a)(2)(i)
A covered entity or business associate must
assign a unique name and/or number for identifying and tracking
user identity.
The in-‐scope systems are configured to enforce predefined user account and minimum password requirements.
164.312(a)(2)(ii)
A covered entity or business associate must establish (and implement as needed) procedures for
obtaining for obtaining necessary EPHI during an
emergency.
Disaster recovery plans are in place to guide personnel in procedures to protect against disruptions caused by an unexpected event.
164.312(a)(2)(iii)
A covered entity or
The in-‐scope systems are configured to lock or log off user sessions after a predefined inactivity threshold.
business associate must implement electronic procedures that terminate an electronic session after a predetermined time of
inactivity.
164.312(a)(2)(iv)
A covered entity or business associate must mplement a mechanism to
encrypt and decrypt EPHI.
Web servers utilize SSL encryption for web communication sessions. Encrypted VPNs are required for remote access to help ensure the security and integrity of the data
passing over the public network.
164.312(b)
Standard: Audit Controls. A covered entity or business associate must implement
hardware, software, and/or procedural mechanisms that record
and examine activity in information systems that
contain or use EPHI.
Security monitoring applications are utilized to monitor network events and configured to produce a monitoring report on a daily basis.
164.312(c)(1)
Standard: Integrity. A covered entity or business associate must implement policies and procedures to
protect EPHI from improper alteration or
destruction.
Documented data integrity policies and procedures are in place to guide personnel in data integrity practices.
164.312(c)(2)
A covered entity or business associate must
implement electronic mechanisms to corroborate that EPHI has
not been altered or destroyed in an unauthorized manner.
N/A
164.312(d)
Standard: Person or Entity Authentication. Implement procedures to verify that a person or entity seeking
access to electronic protected health information is the one
claimed.
The in-‐scope systems are configured to enforce predefined user account and minimum password requirements.
164.312(e)(1)
Web servers utilize SSL encryption for web communication sessions. Encrypted VPNs
Standard: Transmission Security. A covered entity or business associate must
implement technical security measures to guard
against unauthorized access to EPHI that is being
transmitted over an electronic communications
network.
are required for remote access to help ensure the security and integrity of the data passing over the public network.
164.312(e)(2)(i)
Implement security measures to ensure that electronically transmitted
EPHI is not improperly modified without detection until disposed
of.
N/A
164.312(e)(2)(ii)
A covered entity or business associate must implement a mechanism to encrypt EPHI whenever
deemed appropriate.
N/A
HITECH Breach Notification Safeguards
164.410(a)(1)
A business associate shall, following the discovery of a breach of unsecured
protected health information, notify covered entity of breach.
Documented policies and procedures are in place to guide personnel in notifying the covered entity upon discovery of a breach of unsecured protected health information
no later than 30 days following the discovery.
164.410(a)(2)
For purposes of paragraph (a)(1) of this section, a breach shall be treated as
discovered by a business associate as of the first day
on which such breach is known to the business associate or, by exercising
reasonable diligence, would have been known to
the business associate. A business associate shall be
deemed to have knowledge of a breach if the breach is known, or by
exercising reasonable
Documented policies and procedures are in place to guide personnel in responding to discovery of a breach.
diligence would have been known, to any person, other than the person committing the breach,
who is an employee, officer, or other agent of
the business associate (determined in accordance
with the Federal common law of agency).
164.410(b)
Except as provided in
§ 164.412, a business associate shall provide the
notification required by paragraph (a) of this
section without unreasonable delay and in
no case later than 60 calendar days after discovery of a breach.
Documented policies and procedures are in place to guide personnel in responding to discovery of a breach. Notification to covered entity upon discovery of a breach of unsecured protected health information no later than 30 days following the discovery.
164.410(c)(1)
The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each
individual whose unsecured protected health information has
been, or is reasonably believed by the business
associate to have been, accessed, acquired, used,
or disclosed during the breach.
Documented policies and procedures are in place to guide personnel in notifying the covered entity upon discovery of a breach of unsecured protected health information
and include, to the extent possible, the identification of each individual(s) whose unsecured protected health information was, or is reasonably believed to have been
accessed, acquired, used or disclosure during the breach.
15
with any other available information that the covered entity is required to include in notification to
the individual under
§ 164.404(c) at the time of the notification required
by paragraph (a) of this section or promptly thereafter as information
becomes available.
Documented policies and procedures are in place to guide personnel in breach notifications, in plain language, to the covered entity that include.
