HIPAA Data Storage Done The Right Way

Let the HIPAA Hippo show you the difference

HIPPO ePHI Data Storage, Inc. strives to be your compliance partner in an ever changing regulatory environment. The importance of properly securing patient data within Ob/Gyn, MFM and general healthcare practices is now a significant business concern. HIPPO ePHI Data Storage, Inc. has the tools to implement a HIPAA compliant data storage backup and disaster recovery solution that is cost effective, simple and is compliant with HIPAA and other federal regulations.

Backup & Recovery

Secure, compliant, scalable enterprise-class healthcare data backup, disaster recovery and business continuity services from healthcare data experts…

Safe & Secure

Our data centers employ an aggressive security strategy, taking physical security as seriously as cyber security…

Client Support

Our support team is always available. We’re here to help! From the start to the implementation & beyond…


Our mission is simple. We partner with customers to provide a reliable, secure data center that improves business continuity and promotes the growth of their information and communication technology (ICT) infrastructure. The building has been meticulously remodeled to be environmentally friendly, virtually impenetrable and at the pinnacle of modern technology; guaranteeing optimum conditions for the servers and equipment housed within.

Why We Are Different

  • Sand blasted ceilings with fire proof paint
  • Virtually fire proof due to sealed concrete and dry pipe sprinkler system
  • Raised floors and ceilings ensure consistent and proper airflow to the equipment
  • Earthquake proof flooring
  • 140 feet above sea level and above the flood zone
  • 24/7/365 on-site security personnel for controlled access
  • Tier 2 OC48 connectivity
  • Key card and biometric access required for all door entry
  • Motion sensors and interior/exterior cameras
  • Barbed-wire fencing surround the building to restrict all unauthorized access to the building
  • Redundant network routing for 100% uptime regardless of internet provider maintenance or problems
  • SSAE 16 compliant by American Institute of Certified Public Accountants (AICPA)

Top Myths Of Security Risk Analysis

The security risk analysis is optional for small providers.

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

I have to outsource the security risk analysis.

False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

A checklist will suffice for the risk analysis requirement.

False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

There is a specific risk analysis method that I must follow.

False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

My security risk analysis only needs to look at my EHR

False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

I only need to do a risk analysis once.

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.

Before I attest for an EHR incentive program, I must fully mitigate all risks.

False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

Each year, I'll have to completely redo my security risk analysis.

False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.