What Should Healthcare Organizations Look for in HIPAA-Compliant Web Hosts?

Compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) has become a fact of life for healthcare organizations, and those that fail to be HIPAA compliant risk huge penalties.

Part of HIPAA defines the policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information and creates standards for the use and dissemination of this data.

With many healthcare organizations looking to shift more data into the cloud, a key concern is whether a hosting provider is HIPAA compliant. Just because a service provider stores the data in its own data center and is responsible for maintaining security and privacy, that doesn’t mean healthcare institutions are off the hook when it comes to ensuring the data is protected according to HIPAA guidelines.

Finding a HIPPA-Compliant Web Host

What’s required of a web host or a data center in order to be HIPAA compliant? Web-hosting companies should be independently audited, and their employees should be trained and know the specific IT services that are necessary to protect electronic personal health information, says Kathy Dawson, project manager at HostLabs Internet Solutions.

In addition, hosting providers must have documented policies and procedures and a thorough HIPAA Business Associate Agreement (BAA), Dawson says.

In fact, when forging a relationship with a hosting provider, one of the first things a healthcare company should do is make sure the provider is willing to sign a HIPAA BAA. Claims of HIPAA compliance are not a sufficient reason to entrust the hosting provider with critical information.

Why a BAA Is Important

A BAA is a pact between a HIPAA-covered entity, such as a hospital, and a HIPAA business associate, such as a hosting service provider.

The contract protects health information — individually identifiable health information, such as an individual’s past, present or future physical or mental health; the provision of healthcare to the individual; and information about payment for the provision of healthcare to the individual — in accordance with the guidelines set by HIPAA. The contract also includes common identifiers, such as an individual’s name, social security number, address and birth date.

Under the HITECH Act of 2009, a business associate’s handling and use of protected health information must comply with the data security and privacy rules of HIPAA. Any HIPAA business associate is subject to audits by the U.S. Department of Health and Human Services and can be held accountable for data breaches.

As a result, a HIPAA BAA should clearly state how it will report and respond to a data breach, including one caused by the business associate’s subcontractors.

Any hosting provider that is experienced in healthcare IT should be familiar with HIPAA and BAA, and that’s a good reason for selecting such a provider.

“The relationship is what is most important with a hosting provider; you want to look for hosting providers that have some experience in the healthcare space,” says Judy Hanover, research director at IDC Health Insights, a research firm that focuses on IT in the healthcare industry.

“One of the main stipulations is to look for a provider that understands healthcare companies and what hosting [health-related] data means with regard to HIPAA,” Hanover says. The provider needs to have a good understanding of what HIPAA means and put security provisions, such as encryption, in place to help prevent a breach.

Having a BAA in place will help a healthcare organization make sure that the hosting provider is using encryption for all personal health information that is stored in servers or in motion — as required by HIPAA, Hanover says.

While both healthcare companies and service providers share the responsibility for safeguarding data, the BAA should clearly spell out which entity is responsible for specific aspects of detecting and responding to a security breach.

“The agreement needs to be very specific, including how the analysis [of a breach] will be done, the security of the environment, what the cloud provider’s responsibility is for auditing and what information it should provide in an audit,” Hanover says.

If no BAA is in place, and there is a breach, “how will [the two companies] go about conducting a root cause analysis and determine who’s at fault and where the responsibility falls?” Hanover asks. “The BAA does entail sharing the risk.”

The Costs of Not Being HIPAA Compliant

There can be significant financial ramifications including fines and penalties, for failing to comply with HIPAA. According to Hanover, fines can go as high as $1.5 million for a healthcare organization for each state in which data is breached, depending on the severity of that breach.

In addition, there can be high costs for remediating the problem that caused the breach, and for preventing similar breaches in the future. For a small healthcare provider, these kinds of payouts can be devastating.

HostLabs already had many of the policies and procedures in place prior to seeking HIPAA attestation.

“HostLabs reviewed and modified and/or put additional policies and procedures into place, performed initial training and created our BAA template prior to submitting to a full external audit by a respected accounting and auditing firm,” Dawson says.

In addition, HIPAA education and periodic internal audits are performed on an ongoing basis, and an annual external audit is performed to ensure compliance. “The HostLabs team of HIPAA implementation experts works with customers to build a comprehensive, fully compliant solution that addresses the confidentiality, availability and integrity of electronic protected health information,” she says.

Solving the problem of security, particularly for protected health information that is subject to HIPAA breach rules, will grow in importance and will cost provider organizations more than they expected in 2014, according to a 2013 report by IDC Health Insights.

“Security and privacy are becoming more critical for health IT as audits and fines grow, and public breach notification policies continue to have public relations impact in the consumer market,” the report states. “Physical and onsite security breaches are among the most embarrassing for providers, and their PR impact—coupled with the ability to share liability for breaches with cloud service providers under business associate agreements—will drive more providers to seek security and privacy options.”

IDC research from October 2013 shows that healthcare companies are becoming more confident in hosting providers’ ability to protect data. About two-thirds of healthcare organizations surveyed by the firm (67 percent) agreed that cloud computing and Software-as-a-Service solution providers can offer better security than their organizations’ IT security teams can provide.

“So while the complexities of moving to the cloud might seem challenging, in the end we’re seeing people in healthcare be more confident in [service providers’] ability to prevent breaches,” Hanover says. And better security means greater likelihood of HIPAA compliance.

[image: Darrin Klimek/Digital Vision/ThinkStockPhotos ]