The healthcare sector is rapidly changing.
When the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, and the HIPAA Omnibus Rule was published in 2013, they set the stage for the rapid digitization of the American healthcare sector. This digitization has already dramatically improved the information available to doctors and other healthcare practitioners in a variety of contexts and has undoubtedly saved lives.
By encouraging the establishment of electronic health records (EHRs), HITECH also resulted in the dramatic expansion of businesses that store and process these kinds of records, and therefore are required to comply with HIPAA. This new market opportunity has also resulted in many businesses, particularly among small and medium-sized businesses, being unclear about what their responsibilities are, much less what to do about them. Businesses that provide healthcare services or IT services for healthcare service providers in the U.S. need to be aware of the Health Insurance Portability and Accountability Act (HIPAA) and their responsibilities under the regulation.
HIPAA applies to your business if you handle electronic Protected Health Information (ePHI).
Getting it right is important: while financial penalties can be as little as $100 per violation, the fine is compounded by each individual breached record, and companies, whether healthcare providers or business associates, are permanently listed in breach records or “wall of shame” published by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). These records also make clear that dozens of businesses of all sizes and types are being found non-compliant with HIPAA each month.
Fortunately for those businesses unsure of their HIPAA requirements, it is not particularly complicated, and help is available.
What You Need To Do
The key section of HIPAA for business associates is the second section, usually referred to as “Title II.” Title II sets out the requirements for ePHI administration, including the HIPAA Security Rule, which is the main part of HIPAA small businesses need to be concerned with. It also sets the standards for securing patient information both in transit and in storage.
There are three different types of safeguards included in the security rule, which are meant to collectively ensure the confidentiality, integrity, and security of all ePHI.
Administrative Safeguards: Your business needs to have and follow policies and procedures for how to secure ePHI, limit employee access, and possibly limit what kind of access they have. You need to have written agreements known as Business Associate Agreements in place with any third-party service provider you use covering your responsibilities under HIPAA, and also conduct regular security reviews.
Physical Safeguards: Physical security means controlling access to your building, office, and all servers and networked equipment. This requirement also extends to any device outside of the office, such as at an employee’s home, physical storage areas, and of course, the data center.
Technical Safeguards: All ePHI must be protected by digital access controls, in the form of technologies, policies, and procedures. Businesses are required to determine what technologies and policies are reasonable for them, and then implement and maintain them.
HIPAA includes other requirements as well, such as the Privacy Rule standard to limit information sharing to the “minimum necessary” amount, but the Security Rule is the main technical challenge for businesses.
Once you have established that HIPAA applies to you, and learned what that means, one of the most important next steps is bringing in a reputable, independent, third-party auditor to guide you through the steps you need to take. Partnering with a reliable hosting provider that understands HIPAA compliance is also an important part of the process. It is not the case, however, that any host can ensure compliance with all aspects of HIPAA, so beware of promises that seem too good to be true.
What to Expect From Your Hosting Provider
While no host can make you completely HIPAA complaint, there are a number of things a quality provider with experience hosting businesses covered by HIPAA can do to help. As a special class of Business Associate known as a Cloud Service Provider (CSP), your host must provide some things, like restricting access to your servers and providing up-to-date antivirus and malware protection, in order to keep you in compliance with HIPAA. Others, like helpful documentation, are possible to do without, but doing so makes an important process unnecessarily difficult for most SMBs.
Administrative Safeguards: In addition to the employee access controls and cybersecurity protections noted above, your hosting provider should help with backup and recovery of ePHI and keep detailed logs.
Physical Safeguards: Your CSP should be able to assure you that they have strong building security in place, that only certain employees can physically access your systems, and should have a plan for how to keep your systems up or restore them in the event of a natural disaster.
Technical Safeguards: A HIPAA hosting provider should offer a range of technologies for protecting ePHI. Some of those are security tools such as solutions for data and network encryption, while others are tracking systems for logging interactions like system access and file changes.
In addition to protecting the systems they host with these capabilities, a quality HIPAA hosting provider also provides customer service that is responsive and proactive. It should also be staffed by professionals who have a real understanding of the challenges faced by SMBs as they go through the process of implementing a HIPAA compliant environment. That means live support that is reachable through multiple channels and available when it is needed.
A host with valuable experience helping healthcare industry SMBs can also empower businesses to make themselves compliant by providing educational HIPAA documentation. Offering businesses resources that can be shared among affected staff is really an extension of customer service.
Liquid Web Knows HIPAA
Liquid Web provides complete and comprehensive support for customers launching services for the healthcare industry, including live help from The Most Helpful Humans in Hosting™ and an extensive Knowledge Base to give our SMB customers all the resources they need to address the lucrative and growing U.S. healthcare services market with confidence and assurance that all sensitive patient information will be protected to the full extent required by regulation.