Webair Internet Development Inc. | 501 Franklin Avenue, Suite 200 | Garden City, NY 11530 Phone: 1.866.WEBAIR1 | www.webair.com

Webair HIPAA-HITECH Overview

Webair currently supports the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) regulations across many of its service offerings. Additionally, Webair has the ability to sign HIPAA Business Associate Agreements (BAAs) with customers. As one of the few companies offering managed Cloud services that signs HIPAA BAAs, Webair demonstrates its commitment to the proper storing and security of electronic Protected Health Information (ePHI) data for the healthcare and enterprise markets.

Secure. Managed. Scalable.

What is HIPAA? The HIPAA Act of 1996 is a federal mandate that

requires specific security and privacy protections for Protected Health Information (PHI). More information around HIPAA can be found here: www.hhs.gov/ocr/privacy/index.html.

What’s the difference between HIPPA, HITECH, and the final HIPAA Omnibus Rule? The HITECH Act was signed into law in 2009 to

promote the adoption and meaningful use of health information technology in the U.S.

In 2013, the final HIPAA Omnibus Rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of PHI — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as covered entities under HIPAA.

Which Webair services can help facilitate HIPAA compliance for its customers? Colocation services offered in our New York, Los

Angeles, Montreal, and Amsterdam facilities.

Dedicated Servers offered in all of our facilities (self-managed).

Managed and Unmanaged Private Clouds configured with our recommended security offerings.

Managed and Unmanaged Public Clouds configured with our recommended security offerings.

Cloud Storage

IP Transit

In what ways does Webair support HIPPA compliance in its services?

In addition to being able to sign HIPAA BAAs, Webair offers the following features to help protect data: Each customer is segmented into their own

dedicated Virtual Local Area Networks (VLANs) for public Internet and internal communications.

All data between shared storage platforms and customer infrastructure travels over a VLAN dedicated to the customer.

Restricted physical access to production servers.

Strict access control system for physical facilities and servers.

All managed services are firewalled by default for

Webair Internet Development Inc. | 501 Franklin Avenue, Suite 200 | Garden City, NY 11530 Phone: 1.866.WEBAIR1 | www.webair.com

Secure. Managed. Scalable.

Secure Shell (SSH) and File Transfer Protocol (FTP).

Data uploaded to managed platforms is automatically scanned for viruses.

Multiple types of Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Firewall, and Web.

Application Firewall (WAF) services are available to be added to any customer configuration.

Distributed Denial of Service (DDoS) mitigation services are available to detect and block malicious volumetric attacks.

Customers are provided access to NetFlow portals to view details on all traffic to/from their infrastructure.

Anti-virus software (ClamAV) available to be ran on managed platforms.

File auditing software (Tripwire) available to be run on managed platforms.

Configurable administrative controls available to the customer to:o Grant explicit authorization for FTP & SSH

accountso Audit logs for customer portalo Reporting and audit trail of account activities on

both users and content (via Tripwire)o Formally defined and tested breach notification

policyo Training of employees on security policies and

controlso Employee access to customer data files are

highly restrictedo 99.9% uptime SLA

What industry certifications has Webair obtained to prove its HIPPA compliance? Webair maintains SSAE16 SOC 1 TYPE II

compliance for all of its data centers.

While there are no specific industry certifications for HIPAA compliance, Webair’s SSAE16 SOC 1 TYPE II audits do include a HIPPA Matrix attesting that Webair properly conforms to the HIPPA regulations.

Yearly audits are performed and evaluated by an independent, third-party auditor who has issued

an evaluation report that details the controls Webair has in place to meet HIPAA requirements in regards to data privacy and security.

How do i get a copy of the third party audits? Please contact your Webair account representative.

Can Webair sign HIPAA BBAs with partners who are doing business with healthcare customers (e.g., covered entities or other BAs)? Yes, Webair has the ability to enter into a direct

BAA with the partner as well as directly with the partner’s customer as needed.

Has Webair signed HIPAA BAAs with customers to date? Yes, Webair has signed BAAs with several

healthcare and biotech customers to date.

How can I ensure I am meeting the HIPPA obligations for my organization? Webair signs BAA addendums with its customers

who have purchased the eligible services listed above. A signed BAA should be in place between Webair and the customer prior to storing any PHI.

Customers are responsible for configuring their applications, platforms, websites and portals in a HIPAA-compliant manner and for enforcing policies in their organizations to meet HIPAA compliance.

How can I get more information on Webair’s HIPAA compliance and services? Please contact your Webair account

representative. If you don’t have one, please call 1-866-WEBAIR1 and speak to someone in the sales department.