CenturyLink and HIPAA

Updated by Christian Brown on Nov 17, 2015
Article Code: kb/597

CenturyLink’s Compliance Management team is dedicated to continually improving and maintaining critical compliance certifications such as Health Insurance Portability and Accountability Act (HIPAA). Through our disciplined assessment and audit processes, CenturyLink has implemented comprehensive practices for HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) leveraging widely recognized security standards such as: SSAE 16 SOC 1 and 2, and ISO 27001 to help enable our customers meet their privacy and security rules for Protected Health Information (PHI). HIPAA sets the standard for protecting sensitive patient data. Any company that deals with PHI must ensure that all the required physical, network and process security measures are in place and followed.

This includes Covered Entities (CE), anyone who provides treatment, payment and operations in healthcare, Business Associates (BA), and anyone with access to patient information that provides support in treatment, payment or operations. Subcontractors or business associates of business associates must also be in compliance.

The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect heath data created, received, maintained or transmitted electronically, also known as Electronic Protected Health Information (ePHI).

CEs and their BAs can leverage CenturyLink to process, maintain and store ePHI. With the required controls in place in the customer’s environment (data encryption, access restrictions, etc.), CenturyLink will sign a Business Associate Agreement (BAA) that can be leveraged as part of a customer’s overall compliance program.

Additionally, CenturyLink can provide an Attest Engagement audit report in accordance with AT Section 101. This report demonstrates an independent service auditor has examined CenturyLink’s assertion that the description of its information security program for its network and hosting services provided in the report is fairly presented. It also demonstrates that the information security program governing the services adopts essential elements of the HIPAA Security Rule and for HITECH.

What is a Covered Entity?

Healthcare Provider – A healthcare provider includes:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

They are only considered covered entities if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

Healthcare Plan – Healthcare plan includes organizations such as:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs

Healthcare Clearinghouse - This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

PHI and ePHI

CenturyLink understands the importance of protecting the confidentiality, integrity, and availability of ePHI as the essence of the HIPAA Security Rule. CenturyLink conducts the required risk analysis, administrative safeguards, physical safeguards, technical safeguards, and ongoing due diligence when storing, transmitting and processing ePHI, to comply with the HITECH standards and credentials to enable its customers meet HIPAA compliance.

There is no dispute about the responsibilities of BA’s for the protection of ePHI, all BA’s are held as responsible as CE’s. Considering the latest notice of the Omnibus Final Rule that speaks to the extension of responsibilities from covered entities to business associates:

United Security

Traditional IaaS Approach - CenturyLink operates on a United Responsibility model. Making cloud security everyone's responsibility ensures that our infrastructure and everything connected to it is safe. CenturyLink is responsible for the security of everything in our infrastructure; our customers are responsible for anything built on top of, or connected to that infrastructure.

Hybrid IT Approach – CenturyLink works with its customers to address their specific compliance needs by leveraging a “United Responsibility” security model depending on which services the client is required for CenturyLink to manage. As a recognized leader in Hybrid IT environments with the real-world experience to determine the right mix of technology, building blocks based on your business needs, workloads and end-user expectations with built in compliance requirements to meet most universally accepted security frameworks and standards.

Shared Security.png

CenturyLink identifies the right blend of IT services from a single capable and reliable provider.
Integrated and optimized solutions from multiple IT infrastructure models aligning technology capabilities with the needs of business.

  • Combining the best of your traditional IT with additional capabilities that your IT may not be able to deliver on its own.
  • Choose from individual offerings, co-managed, or fully managed solutions based on your business priorities.
  • All designed to meet your regulatory requirements from FISMA to HIPAA to PCI.

Compliance and security is obviously a top-level consideration whenever considering a move to a hybrid IT model. Security concerns have long been a factor preventing companies from either experimenting with or fully embracing a cloud environment. Organizations are rapidly assessing the gaps in their current security policies vs. the requirements necessary to align with compliant standards. For its customers to become or remain aligned with relevant compliant certifications and security frameworks, CenturyLink possesses the necessary third party generated certifications required.

HIPAA Enabling Architecture

Below is an example of CenturyLink’s HIPAA enabling architecture.

HIPAA Arch.png

Products and Services

As a trusted Business Associate, CenturyLink securely protects, stores and manages its customers data with reliable solutions that makes it readily accessible when and where they need it.

Colocation Services
CenturyLink’s data centers provide hosting services in facilities that are specifically designed to provide hosting for mission- critical environments. Colocation services consist of physical and environmental protection services including, but not limited to, the following:

  • Physical security
  • Heating, ventilation and air conditioning (HVAC)
  • Fire detection and fire suppression
  • Power
  • Network connectivity
  • Remote hands
  • Training personnel for onsite support

Managed Security Services
CenturyLink offers a suite of HIPAA Enabled security services such as installation, monitoring, and maintenance of security devices. Security professionals with relevant industry accreditations and/or vendor-specific certifications provide these services. Managed Security Services include but are not limited to the below solutions.

  • Intrusion Detection Systems (IDS)
  • Content Integrity Monitoring
  • Threat Management
  • Network-Based Distributed Denial of Service (DDoS) Mitigation
  • Firewall Management

Managed Storage Services
HIPAA Enabled Managed Storage Services offers various options to outsource data storage needs. Data storage engineers administer redundant backup systems to help ensure the customer’s data is secure and available for retrieval. In addition to the technology provided by the storage system, CenturyLink’s fully managed Utility Storage Service helps prevent performance bottlenecks through monitoring and balancing storage area networks (SAN) and storage systems, as well as assisting customers to identify the right storage product or their performance needs.

Managed Backup and Archiving
CenturyLink’s backup and data restoration services are reliable solutions that protect PHI and make it readily accessible only when and where it’s needed. CenturyLink engineers with the required HIPAA training and experience work to support the customer’s needs and help to ensure that backup jobs run and complete successfully.

CenturyLink provides variations of backup and data restoration services such as:

  • Utility Backup Service
  • Utility Backup Encryption Service
  • Utility Backup NAS Service
  • Utility Vaulting Service

What is a HIPAA Compliant Data Center?

CenturyLink adheres to the administrative, physical, and technical safeguards and standards set forth by the HITECH act and developed an enterprise-wide information security management program to help its customers meet their information security and compliance requirements. Below is a list of safeguards CenturyLink’s program incorporates based on the elements of the HIPAA Security Rule and HITECH.

Administrative Safeguards

  • Security Management Process - Identify and analyze potential risks to its colocation and managed services, and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Security Personnel - Designate a security official who is responsible for developing and implementing its security policies and procedures.
  • Information Access Management - Implement policies and procedures for authorizing access to the network and hosting environment only when such access is appropriate based on the user or recipient's role.
  • Workforce Training and Management - Provide appropriate authorization and supervision of workforce members who work within its colocation and managed services. Train workforce members regarding its security policies and procedures, and applies appropriate sanctions against workforce members who violate its policies and procedures.
  • Contingency Planning - Implement policies and procedures to guide response to emergencies or other occurrence that could affect normal operations.
  • Evaluation - Perform a periodic assessment of how well its security policies and procedures meet the requirements of the HIPAA Security Rule.
  • Business Associate Contracts - Implement contractual terms, policies and procedures to insure that business associates will appropriately safeguard customer data and information.

Physical Safeguards

  • Facility Access and Control - Limit physical access to its facilities while ensuring that authorized access is allowed.
  • Workstation Security - Implement physical safeguards for all workstations that access production systems, to restrict access to authorized users.
  • Device Media - Implement policies and procedures that govern the receipt and removal of hardware and electronic media into and out of a facility, and the movement of these items within the facility.

Technical Safeguards

  • Access Control - Implement technical policies and procedures that allow only authorized persons to access the data centers and production environment.
  • Audit Controls - Implement hardware, software, and/or procedural mechanisms to record and examine access and other activity to the data center and production systems.
  • Authentication - Implement procedures to verify that a person seeking access to production systems is the one claimed.

Breach Notification

  • Notification Procedures - Implement policies and procedures to guide personnel in the timely notification of appropriate parties in the event of a breach.
  • Breach Documentation - Implement procedures to ensure that relevant information concerning the breach is documented and retained for ad hoc review.

Service Audits

CenturyLink recognizes that some customers may need to conduct on-site audits of how their services are delivered. CenturyLink permits annual audits to ensure our customer’s services are aligned with security and policy requirements. The customer may perform this service audit or any designated third party auditor(s) who enters into a standard Auditor Access and Confidentiality Agreement.

Characteristics of a Business Associate

When a covered entity decides to outsource HIPAA compliant hosting to a business associate, they need to look for certain indicators of compliance to ensure due diligence in vetting their service provider. Due diligence can help a covered entity prevent a potential data breach resulting in costly fines, as well as damage to reputation and business.

HIPAA Attestation and Compliance Services Report

As the number of reported data breaches and the cost of data breaches to the healthcare industry rise, it becomes imperative for a CE to select a BA that has invested in an independent audit and can provide a copy of their audit report to ensure they are following compliant policies and procedures.

HIPAA Certification vs. Compliance

Beware of claims to be “HIPAA certified.” There is no governing body or federally recognized HIPAA certification, for CE’s or BA’s alike. The correct term and usage is “HIPAA compliant,” meaning their policies, procedures, technology and staff implement security controls that are aligned with the HIPAA rules.

While, in some cases, certification may mean they have taken an unofficial exam and passed with knowledge of HIPAA-related material, it does not mean their facilities, staff or solutions are actually compliant with the HIPAA standards. It also does not mean using their services will make your company compliant.

Other Data Center Audits

A HIPAA Attestation Letter is specific to healthcare and the protection of PHI, other CenturyLink audits can give you additional guidance and insight into ongoing compliance and level of operating standards, as well as the quality of service CenturyLink customers can expect to receive.

SOC 1 - CenturyLink provides an annual Statement on Standards for Attestation Engagements (SSAE) No. 16. The certification validates CenturyLink’s commitment to operational excellence and client satisfaction. The SSAE 16 SOC 1 Type 2 report indicates that an independent service auditor has formally evaluated and issued an opinion on the description of selected CenturyLink systems.

SOC 2 - In addition to individual data center audits, CenturyLink also publishes a Service Organization Controls 2(SOC 2), Type II report. The SOC 2 report provides the auditor’s detailed evaluation of the design suitability and effectiveness of the controls. The design is required to meet the criteria for the security and availability principles set forth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

ISO 27001
CenturyLink has received certification of the ISO/IEC 27001:2013 Information Security Management System (ISMS) Standard for data centers located in United States, Singapore, United Kingdom, Germany, and Japan. The certificate addresses global network services and managed hosting services in Asia and EMEA. As well as colocation services (including physical security and facilities management) for data centers in Asia, EMEA, and North America. ISO 27001 is an International Standard providing a model for establishing, operating, monitoring, and improving ISMS.

The ISO 27001 certification allows CenturyLink to demonstrate effective information security processes are defined and implemented. ISO 27001 conducts interim audits annually to support a three-year renewal cycle. The most recent renewal certification audit was completed in 2013.

ISO 27001 key benefits:
Includes security as part of the current quality system:

  • Provides an opportunity to identify and manage risks to key information and systems assets
  • Provides confidence and assurance to both partners and clients
  • Allows for an independent review and assurance of information security practices to customers

CenturyLink adopted ISO 27001 for a variety of reasons, including:

  • Protecting critical and sensitive information.
  • A holistic approach to secure information and compliance.
  • Credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers.
  • Security status according to internationally accepted criteria.
  • Market differentiation due to prestige, image and external goodwill.
  • Globally accepted certification.

Corporate Quality

At the core of all compliance programs are quality systems and the management of those quality systems, allowing the organization to establish a baseline from which it can plan, implement and measure. The program is used to demonstrate compliance and also to measure improvement. Coupled with its ISO certifications, CenturyLink maintains a customer advocacy function that has a formal charter to evaluate, control and improve the company’s Quality of Service (QoS) to both internal and external customers. Customer advocacy implements this directive through the management of various quality improvement programs.


CenturyLink strives to provide assurance to existing and future customers that its service standards are among the best in the industry. One way CenturyLink has done this is through implementation and adherence to industry best practices known as Information Technology Infrastructure Library (ITIL).

Many of CenturyLink’s internal business units have adopted ITIL standards as the basis for management of their services. ITIL provides a comprehensive, consistent and coherent set of best practices for IT service management, promoting a quality approach to achieving efficient and effective business processes utilizing information systems.


Site Region City, State

  • AB3 USA Albuquerque, NM
  • AT1 USA Lithia Springs, GA
  • BO1 USA Waltham, MA
  • BO2 USA Waltham, MA
  • BO3 USA Waltham, MA
  • BR1 USA Burbank, CA
  • CH2 USA Chicago, IL
  • CH3 USA Elk Grove, IL
  • CH4 USA Chicago, IL
  • CL1 USA Lewis Center, OH
  • DC2 USA Sterling, VA
  • DC3 USA Sterling, VA
  • DC4 USA Sterling, VA
  • DC5 USA Sterling, VA
  • DC6 USA Sterling, VA
  • DC7 USA Sterling, VA
  • DL1 USA Fort Worth, TX
  • DL2 USA Fort Worth, TX
  • DN1 USA Highlands Ranch, CO
  • DN2 USA Highlands Ranch, CO
  • DN3 USA Englewood, CO
  • LA1 USA El Segundo, CA
  • MP1 USA Minneapolis, MN
  • MP2 USA Minneapolis, MN
  • NJ1 USA Jersey City, NJ
  • NJ2 USA Weehawken, NJ
  • NJ4 USA Piscataway, NJ
  • NJ5 USA Newark, NJ
  • OC2 USA Irvine, CA
  • SC4 USA Santa Clara, CA
  • SC5 USA Santa Clara, CA
  • SC8 USA Santa Clara, CA
  • SC9 USA Santa Clara, CA
  • SE2 USA Tukwila, WA
  • SE3 USA Tukwila, WA
  • SE4 USA Tukwila, WA
  • SL1 USA Hazelwood, MO
  • SN1 USA Sunnyvale, CA
  • SN2 USA Sunnyvale, CA
  • TP1 USA Tampa, FL
  • FR6 Germany Frankfurt, Germany
  • LO1 UK Berkshire, England
  • LO3 UK London, England
  • LO4 UK London, England
  • LO5 UK Berkshire, England
  • LO6 UK Berkshire, England
  • MR1 Canada Verdun, QC
  • TR1 Canada Mississauga, ON
  • VC1 Canada Vancouver, BC
  • HK2 Hong Kong Hong Kong, HK
  • SG2 Asia Jurong East, Singapore
  • SG8 Asia Singapore


BA – A Business Associate is a person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity’s workforce. A business associate can also be a covered entity in its own right.

BAA – Business Associates Agreement

CE – Under HIPAA, a Covered Entity is a health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

ePHI – Electronic protected health information (PHI) refers to any PHI that is covered under HIPAA security regulations and is produced, saved, transferred or received in an electronic form.

HIPAA – A Federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. HIPAA gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans) and employers (or sponsors) and to specify the types of measures required to protect the security and privacy of personally-identifiable health care information.

PHI - Individually identifiable health information collected from an individual that is created or received by a healthcare provider, employer, or plan. Any information related to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual. This may include but is not limited to:

  • Patient's Name
  • Patient's Social Security Number
  • Phone Number or Address
  • Medical History
  • Current Medical Condition
  • Test results and images