Ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) is critical for healthcare organizations and businesses handling sensitive patient data. Among the key requirements, maintaining data availability using secure and reliable data backups is essential for protecting electronic protected health information (ePHI).
Rewind’s backup solution provides peace of mind to organizations that need secure, compliant data protection. Rewind allows you to confidently back up and restore your sensitive data, ensure compliance with industry regulations, and maintain the security and integrity of your ePHI. Not only does Rewind safeguard your organization against data loss, but it also supports your disaster recovery efforts, ensuring uninterrupted access to critical records.
Rewind supports HIPAA compliance across the following integrations:
- Backups for Confluence
- Backups for Jira
- Backups for Jira Service Management
- Backups for Azure DevOps
- Backups for Entra ID (early access)
- Backups for Okta (early access)
Referred to in Rewind’s Business Associate Agreement as “HIPAA Eligible Services.”
Please note: Rewind does not provide HIPAA-compliant backups for cloud service integrations that are not inherently HIPAA-compliant.
How Rewind enables HIPAA compliance
Risk management
Rewind takes a proactive and comprehensive approach to risk management. We’ve implemented policies and procedures to safeguard data including protected health information (PHI), as well as ensuring confidentiality, integrity, and availability of data in line with HIPAA standards.
Regular risk assessments are conducted to identify and address potential vulnerabilities, including security threats, data breaches, and regulatory compliance gaps. To protect your data and support HIPAA compliance, Rewind employs advanced data encryption both in transit and at rest, access control, and monitoring systems. We also educate our workforce on all compliance regulations, including HIPAA requirements.
Rewind has integrated HIPAA compliance into our overall risk management framework, demonstrating our commitment to maintaining the trust and privacy of our customers.
Workforce security
All new employees and contractors are subject to background checks, and employees receive ongoing privacy and security training.
At Rewind, all employees and contractors with access to confidential information are bound by employment agreements and confidentiality commitments.
Information access management
At Rewind, we abide by the principle of least privilege. Access to data and applications is assigned based on a user’s team, ensuring access is limited to those with a legitimate need. Quarterly access reviews occur to ensure access is restricted appropriately. Access is modified or removed in a timely manner based on the results of these reviews or when a user’s role changes.
Privileged access to production environments is strictly limited to authorized personnel, aligning with the principle of least privilege.
Incident response management
Rewind users are able to monitor activity related to their organization’s users, plans, and content.
Rewind has implemented an incident response process that consists of identifying roles and responsibilities, recording actions associated with incident investigation, including descriptions and actions taken, and completing a post-incident review.
Please visit our Security Portal for additional details on how Rewind handles incident response.
Privacy and security responsibility
Rewind has a dedicated Trust Team responsible for our security, privacy, and compliance programs, including HIPAA requirements.
Security awareness and training
Part of Rewind’s mission is to educate our customers and partners about how they can safeguard their critical SaaS data, by offering data protection tips, webinars, etc. Rewind also conducts quarterly security training and ongoing awareness campaigns to ensure all personnel are well-informed about privacy and security requirements and the importance of safeguarding data including PHI.
Business continuity and disaster recovery planning
At Rewind, we prioritize data resilience by performing bi-annual disaster recovery tests to ensure that our backup systems are always ready to respond to any unexpected events and that our customers’ data remains secure and accessible.
Disaster recovery testing involves executing technical runbooks to ensure correctness and tabletop testing of various disaster scenarios to ensure procedures are correct.
Business Associate Agreements
Rewind has a Business Associate Agreement that includes assurances that we will appropriately safeguard customer’data.
Additionally, we ensure relevant third party suppliers will protect your PHI by requiring them to sign Business Associate Agreements with us.
Physical security and endpoint controls
Rewind’s office buildings have physical security and access controls in place, such as CCTV and on-site security officers. Access to Rewind’s offices is restricted to employees with approved access.
Rewind has implemented physical and technical safeguards to restrict access to authorized users for all workstations. Technical and physical safeguards, where applicable, are logically enforced by the Rewind mobile device management solution.
Policies and procedures
Rewind has implemented security policies and procedures and documents the actions, activities, and assessments associated with HIPAA compliance. These will be maintained for a minimum of six years.
Transmission security
All data at rest in our databases, cache services, or other data stores is encrypted using standard AWS encryption mechanisms – typically AES 256.
For data in transit across the network, all communication takes place using HTTPS (encrypted) connections. We use a certificate with a 2048-bit key size on all of our Rewind endpoints and certificates are rotated annually.
Supporting HIPAA compliance: Rewind’s Business Associate Agreement
Under HIPAA, companies that engage a service provider to handle PHI on their behalf are required to establish a Business Associate Agreement (BAA) with that provider. Accordingly, HIPAA-covered customers who plan to use Rewind’s backup solutions for PHI must complete a BAA in addition to Rewind’s Terms of Service. Rewind’s BAA is specifically designed to align with our products and services, highlighting that HIPAA compliance is a shared responsibility between the customer and Rewind.
To initiate the process of signing the Business Associate Agreement, please reach out to our Sales Team.
Read more about how Rewind supports your HIPAA compliance goals today!
Margaret Corcoran">
