Need HIPAA Compliance? Start With Secure Managed Services
If you handle health data — as a provider, partner or business associate (BA) — you need solid HIPAA compliance. It’s not just an academic exercise. As noted by MSPmentor, a recent compliance case resulted in a $5.5 million fine from the U.S. Department of Health and Human Services when it determined a provider “mishandled” electronic personal health information (ePHI). Avoiding this kind of penalty and the negative PR that comes with it means getting a handle on HIPAA: How do you ensure health data is properly stored, transmitted and accessed in your organization and all IT-HIPAA-compliance requirements are met?
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by congress in 1996 to help safeguard patient data. It contains two significant regulations for all companies dealing with health data: A “privacy rule” and a “security rule.” The privacy rule sets out requirements for saving, accessing and storing health data, while the security rule details how this data must be protected. In 2009, the HIPAA security rule was updated as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act under the American Recovery and Investment Act of the same year. HITECH emerged in response to the growing need for electronic health data, which helps clinicians, insurance companies and health providers more easily diagnose, treat and pay for health services. HITECH also expanded the liabilities of companies working with health data in any capacity, increased fines for non-compliance and empowered federal enforcement where necessary.
Key HIPAA Requirements
How does HIPAA compliance affect your business? First, it’s critical to understand that any company that interacts with health data — from front-line providers, known as “covered entities” to “business associates” who simply access data or support operations — must follow HIPAA guidelines. Typically, responsibility moves up the chain, meaning that primary providers or data owners are ultimately on the hook to ensure that third parties are properly certified, thoroughly understand managed service compliance, and are able to effectively handle health data.
When it comes to specific HIPAA standards, there are a number of guidelines that companies must follow to stay in compliance, for example:
- Ensuring physical safety. Data must be stored in a facility that features limited access and effective oversight. Companies must also ensure access to workstations or networks that can access ePhi are strictly controlled. Finally, policies must be put in place that clearly govern the transmission or destruction of any health data.
- Developing technical safeguards. Access control procedures must be developed, for example, unique user IDs using two-factor authentication, emergency access protocols, automatic log-off solutions along with strong encryption rules.
- Auditing data compliance. While companies are not obligated to self-audit, this is a good idea, since federal agencies are now starting to regularly audit companies as a way to ensure HIPAA compliance. Monitoring tools that can track and record all access requests and data use are an excellent way to limit risk and stay prepared in case of an outside audit.
- Creating technical policies. You’re also on the hook to detail specific technical policies ensuring that data hasn’t been altered, deleted or otherwise damaged. Disaster recovery and backup tools are part of this requirement: You must be able to show that patient data can be recovered accurately and quickly in the event of a network outage or server failure.
- Networking protection. IT departments must take steps to ensure that members of the public cannot access health data without permission. This includes defending information in transit over internal networks, via email, across the public Internet at large, or even private cloud solutions.
The Role of Managed Service Providers
For businesses, HIPAA rules and regulations can often seem daunting — how do you keep data safe while managing the needs of patients, staff and business partners? One option is leveraging a managed service provider to handle many of the technical challenges that come with ensuring privacy and security. First step? Find a reputable provider and have it sign a business associate agreement (BAA) that allows it to legally access and handle your health data. This not only protects your company but makes the provider at least partially responsible for data privacy. Never do business without a BAA in place.
Beware of BAAs and Providers that Cut Corners
That being said, not all BAAs — and not all service providers who write and amend them — are created equal. If you encounter a provider that doesn’t specifically outline how they’ll respond to a breach of data, or insists the majority or all of the burden of securing data is on you, be very careful signing an agreement. Your organization’s protected health information is too important to cut corners.
This extends beyond the agreement to the details of the service offering itself. Often times, a hosting or managed service provider maintains HIPAA compliance by doing the bare minimum to safeguard their infrastructure and network in order to offer you a lower price.
The ideal provider, however, should help you significantly reduce the burden of managing HIPAA expectations. That can mean leveraging the provider for enterprise-grade server hosting in an access-controlled data center or for the monitoring and recording of all of your HIPAA-related data transactions so you’re prepared for an audit.
Maturing cloud technology, meanwhile, makes it possible to tap your provider for a dedicated private offering — built on secure nodes or virtual machines (VM) — that lets you scale up on demand without sacrificing necessary safeguards.
HIPAA compliance is a must-have for any company handling personal health data. Best bet? Know the rules, understand the expectations and, where possible, leverage managed services to help lighten the load.
Leave a Comment