Backups that support HIPAA compliance
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 as part of a larger healthcare reform in the US. A key aspect of the legislation is to provide security and data privacy protections related to the access, use, and disclosure of Protected Health Information (PHI). HIPAA applies to any organizations classified as “covered entities” or “business associates.”
Rewind offers HIPAA compliance for the following Cloud Service integrations:
- Backups for Confluence
- Backups for Jira
- Backups for Jira Service Desk
- Backups for Azure DevOps
- Backups for Okta (early access)
- Backups for Entra ID (early access)
Referred to in Rewind’s Business Associate Agreement as “HIPAA Eligible Services”
It’s the customer’s responsibility to determine whether HIPAA requirements apply to their organization and if they’re using or planning to use Rewind Services to protect PHI. If you haven’t signed a Business Associate Agreement (BAA) with Rewind, you shouldn’t use our Services for anything involving PHI.
Please note: Rewind does not provide HIPAA-compliant backups for cloud service integrations that are not themselves HIPAA-compliant.
Supporting customers with HIPAA-compliant backups is important to Rewind. We’re proud to continue raising the bar when it comes to our privacy and security standards, in order to support our customers with their compliance needs.
WHEN CONTACTING REWIND FOR SUPPORT OR ASSISTANCE DO NOT INCLUDE PHI (OR OTHER SENSITIVE INFORMATION) IN EMAILS, CORRESPONDENCE OR SERVICE TICKETS.
This is all the information a customer should need to enable HIPAA compliance with Rewind:
- Sign Rewind’s Business Associate Agreement (BAA): The BAA outlines the responsibilities and requirements for safeguarding PHI, ensuring that each party complies with HIPAA regulations. It includes provisions regarding permissible uses of PHI, required safeguards, and reporting procedures breaches or unauthorized disclosures. This agreement is essential to ensure that both parties meet HIPAA standards and protect the confidentiality, integrity, and security of patient information.
- Configure your backups: Customers must follow Rewind’s HIPAA configuration guide to ensure they are using our products in a HIPAA-compliant manner.
Rewind’s business associate agreement
Under HIPAA, companies that engage a service provider to handle PHI on their behalf are required to establish a Business Associate Agreement (BAA) with that provider. Accordingly, HIPAA-covered customers who plan to use Rewind’s backup products for PHI must complete a BAA in addition to Rewind’s Terms of Service. Rewind’s BAA is specifically designed to align with our products and services, highlighting that HIPAA compliance is a shared responsibility between the customer and Rewind.
You can read our BAA at Rewind’s Business Associate Agreement.
To initiate the process of signing the Business Associate Agreement (BAA), please reach out to our sales team, who will assist you.
How Rewind enables HIPAA compliance
The following information is intended to help our customers understand how Rewind supports HIPAA compliance.
Requirement | Description | How Rewind meets this requirement |
Risk management | Reduce risks and vulnerabilities, conduct periodic technical and nontechnical evaluations in response to environmental or operational changes. | Rewind takes a proactive and comprehensive approach to risk management. We have implemented policies and procedures to safeguard data including PHI, as well as ensuring confidentiality, integrity, and availability of data in line with HIPAA standards. Regular risk assessments are conducted to identify and address potential vulnerabilities, including security threats, data breaches, and regulatory compliance gaps. Rewind employs robust encryption, access controls, and monitoring systems to protect data and educates our workforce on HIPAA requirements. Rewind has integrated HIPAA compliance into our overall risk management framework, demonstrating our commitment to maintaining the trust and privacy of our customers |
Workforce security | – Background screening and proper termination procedures. – Sanctions against workforce members. | All new employees or contractors are subject to background checks and employees receive quarterly privacy and security training. At Rewind, all employees and contractors with access to confidential information are bound by employment agreements and confidentiality commitments. |
Information access management | – Authorization of access for employees who work with PHI. – Appropriate granting of access (least privileged basis). – Terminate a session after a predetermined time of inactivity. | At Rewind, access is assigned based on a user’s team, ensuring access is limited to those with a legitimate need. Quarterly access reviews occur to ensure access is restricted appropriately. Access is modified or removed in a timely manner based on the results of these reviews or when a user’s role changes. Privileged access to production environments is strictly limited to authorized personnel, aligning with the principle of least privilege. |
Incident response management | – Audit logging/detection (including monitoring of login attempts). – Identify and respond to suspected or known security incidents. Mitigate and document the incidents and their outcomes. | Rewind users are able to monitor activity related to their organization’s users, plans, and content. Rewind has implemented an incident response process which consists of identified roles and responsibilities, recording actions associated with incident investigation including descriptions and actions taken, and completing a post-incident review. For further details on Rewind’s incident response process, please visit the Security Portal. |
Privacy and security responsibility | – Identify an individual responsible for the development and implementation of the HIPAA security compliance program. – Identify an individual responsible for the development and implementation of the HIPAA privacy compliance program. | Rewind has a dedicated Trust Team responsible for our security, privacy, and compliance programs, including HIPAA requirements. |
Security awareness and training | – User awareness training. | Rewind conducts quarterly security training and ongoing awareness campaigns to ensure all personnel are well-informed about privacy and security requirements and the importance of safeguarding data including Protected Health Information (PHI). |
Business continuity and disaster recovery planning | – Processes to enable continuation of critical business operations – Processes to ensure the integrity of data. | At Rewind, we prioritize data resilience by performing bi-annual disaster recovery tests, ensuring that our backup systems are always ready to respond to any unexpected events and that our customers’ data remains secure and accessible. Disaster recovery testing involves executing technical runbooks to ensure correctness along with tabletop testing of various disaster scenarios to ensure procedures are correct. |
Business Associate Agreements | – Business Associate Agreements contain assurances that customer data will be appropriately safeguarded by Rewind and third-party suppliers. | Rewind has a Business Associate Agreement that includes assurances that we will appropriately safeguard our customer’s data. Additionally, we ensure relevant third party suppliers will protect your PHI by requiring them to sign Business Associate Agreements with us. |
Physical security and endpoint controls. | – Facility access controls – Workstation and device security | The Rewind application is hosted within AWS “secure by design” data centers. Rewind’s office buildings have physical security and access controls in place, such as CCTV and on-site security officers. Access to the building and office is limited to employees with approved access and controlled via access cards. Rewind has implemented physical and technical safeguards to restrict access to authorized users for all workstations. Technical and physical safeguards, where applicable, are logically enforced by the Rewind mobile device management solution. |
Policies and procedures | – Retain documentation for six years from the date of its creation, or the date when it was last in effect, regarding the provisions of the HIPAA Security Rule. | Rewind has implemented written security policies and procedures and records the actions, activities, and assessments associated with HIPAA compliance. These will be maintained for a minimum of six years. |
Transmission security | – Security measures to ensure that ePHI is not improperly modified. – Mechanisms to encrypt ePHI whenever it is deemed appropriate. | All data at rest in our databases, cache services, or other data stores is encrypted using standard AWS encryption mechanisms – typically AES 256. For data in transit across the network, all communication takes place using HTTPS (encrypted) connections. We use a certificate with a 2048 bit key size on all of our Rewind endpoints and certificates are rotated yearly. |
Thank you for trusting Rewind to handle your HIPAA-compliant backups. We understand the critical importance of protecting your data, and appreciate your continued partnership. If you have any questions regarding how Rewind can support HIPAA compliance for your backups, please don’t hesitate to contact our support team.