On August 21, 1996 the Health Insurance Portability and Accountability Act (HIPAA) was created. Over twenty years later, many factors have evolved. Let’s take this time to reflect on the changing cybersecurity environment that has occurred over the past two decades and discuss what to look for in a HIPAA compliant hosting provider. In addition, let’s refresh our knowledge on how we can ensure healthcare cloud storage stays HIPAA compliant.
Many healthcare businesses have HIPAA compliant standards and procedures in place on premise but keeping protected health information (PHI) secure once it leaves the premise is a concern for most healthcare industry leaders. In circumstances where third party vendors such as a data center colocation provider hosts PHI, they must be in compliance with HIPAA. While there is no certification for HIPAA, it is best practice for data center colocation providers to undergo a third-party examination against the HIPAA Security Rule.
What to Look for in a HIPAA Compliant Hosting Provider
Operating a medical practice or business in the healthcare field may require you to hire a hosting provider who is proficient in HIPAA standards. Hiring the wrong provider could result in a breach of information, loss of reputation and business profit, fines and much more. When considering a new HIPAA hosting provider, your healthcare organization should look for and ask key questions to ensure they receive the top-level storage security. Here are a couple of questions and key factors to look for in a HIPAA compliant hosting provider:
Does this hosting provider have compliance and security experts on their team? They should. Data center colocation and cloud providers must have a designated HIPAA compliance officer or official who can be responsible for maintaining HIPAA compliance and any other compliance standards.
Compliance and security are a full-time job. That is why it is more important than ever for your hosting provider to have a Chief Compliance Officer, or a related professional in place. CCOs may find themselves dealing not only with the impact of new laws, but with data privacy issues, IT failures and crisis management. Your hosting provider’s compliance experts need to prevent and detect misconduct while navigating the always-changing regulatory landscape.
The goal of a business continuity plan is to prevent interruptions of normal business procedures caused by either natural or man-made disasters. Another question to ask your HIPAA hosting provider should be around their secure offsite backup offerings. Much like the safeguards around infrastructure, HIPAA requires that healthcare organizations develop secure, offsite backups.
As a best practice data center colocation and cloud hosting providers are designed to assist with data preservation in the case of a breach or disaster. As a result, these hosting providers should offer offsite backups for healthcare organizations who need a cloud-based HIPAA solution to solidify their data security.
To satisfy HIPAA requirements, a business continuity plan should include five implementation specifications outlined in the HIPAA Security Rule.
- A data backup plan that establishes systems for restoring ePHI
- A Disaster Recovery plan that identifies the processes needed to make sure ePHI can be restored in the event of loss
- An emergency mode operation plan that establishes procedures to ensure you can continue the necessary business processes for protecting the security of ePHI while you’re operating in emergency mode
- Procedures for periodic testing and revision of contingency plans
- Application and data criticality analysis
Ideally, the provider will also offer disaster recovery and business continuity solutions to help mitigate the threat of downtime in the event of a disaster. A cloud service provider with multiple data centers that are geographically dispersed and on different power grids can help maintain high availability in the event of a disaster.
Your hosting provider should be taking proper steps to ensure uninterrupted data access and business continuity to avoid downtime. Healthcare organizations act as a cornerstone in communities, so it is important that they remain open and fully operational through any disaster. To learn more about the HIPAA Security Rule, visit the Office of the National Coordinator for Health Information Technology.
Secure Data Center Infrastructure
One of the most critical requirements for a HIPAA compliant hosting provider is the ability to facilitate an auditor’s risk assessment of the environment that houses ePHI. Audits requires physical inspection, so your hosting provider should allow auditors to enter the facility to inspect the individual components that make up the IT environment and the critical systems that are in place to ensure the confidentiality, availability, and uptime of the data that resides on this system.
When it comes to patient information and healthcare data, physical security should be a top factor in finding a hosting provider with secure data infrastructure. Some areas of a secure data center include:
- A Secure Location: a data center colocation facility should be located in a risk-free environment safe from natural and man-made disasters.
- Design and Physical Infrastructure: To ensure compliance of your healthcare data, the infrastructure should include layered security. This means top of the line monitoring systems, physical barriers and secure procedures such as multi-factor authentication.
- Secure Network Connection: In addition to the physical security, a data center should include a secure network connection and consider all vulnerabilities when it comes to network routing and connection.
- Third-Party Compliance Audits: When choosing a hosting provider, it is important to understand what certifications and security process they have in place. Hosting provider solutions should meet rigorous third-party audits that provide evidence to demonstrate compliance with controls that fall within their solution set.
- Secure Amenities: A great way for a hosting provider to stand out above the rest is by looking at the value-added services they provide. Some value-added amenities could include around the clock support, workstations, access to office equipment, etc.
Business Associate Agreement
To adhere to HIPAA standards, a Business Associate Agreement (BAA) must be signed. A business associate agreement must be validated between a HIPAA covered entity and a HIPAA business associate. The required BAA will clearly define the responsibilities of each party in order to maintain compliance.
A business associate is directly liable under the HIPAA Rules and subject to penalties. To learn more about business associate agreements and to view an example of a business associate contract, visit the U.S. Department of Health and Human Services.
Experienced HIPAA Hosting Provider
When trying to find the best HIPAA compliant cloud hosting provider, it is best that your provider has experience with healthcare customers. Ask how many of the hosting provider’s customers are in healthcare, and how they facilitate HIPAA compliance with those customers. Meeting the demanding HIPAA compliance standards is difficult, so a data center and cloud hosting provider should be well-versed in addressing the dynamic needs of healthcare businesses. For example, data center and cloud storage provider should define responsibilities for each party in an effort to maintain compliance.
A hosting provider that regularly works with organizations in the healthcare industry will have the expert knowledge to keep EHR and PHI secure. These providers will already have the background experience dealing with industry rules and regulations and will be able to advise you on compliance actions your organization should be taking.
Does the service provider offer private cloud solutions? When handling sensitive data like ePHI, a safe cloud environment is paramount. In some cases, this is best achieved through a private cloud. Gartner’s IT Budget report shows that healthcare companies often spend 75 percent of their IT budgets on maintaining internal systems. A HIPAA compliant private cloud solution could fix this problem. In addition to labor and hardware savings, cloud hosting providers have increased security across entire healthcare enterprises.
A hosting provider should remove the risk of large, shared clouds while taking advantage of the economic and scalability benefits of virtualization. The customization of a private cloud solution must come with the storage, compute and infrastructure your healthcare organization needs.
A private cloud solution should include highly secure, highly available, dedicated servers that can offer protection from security threats, such as hyperjacking and DDoS attacks. Private cloud solutions offer high security and customization. It is a reliable and efficient service that lacks the concerns of a shared server.
Established Compliance Training Protocols
A hosting provider should not only train its compliance employees in HIPAA-related protocols upfront but should also have ongoing training and education opportunities available to their team. Understanding the training that has been completed by your hosting provider is a factor to consider.
History of HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPPA) was enacted by the United States Congress in August of 1996. HIPAA was initially created to “improve the portability and accountability of health insurance coverage” for employees. Other objectives of HIPAA were to combat waste, fraud and abuse in healthcare delivery.
The Act established new standards for the confidentiality, security and transmissibility of healthcare information. Once HIPAA had been signed into law, the U.S. Department of Health and Human Services set about creating the first Privacy and Security Rules. According to the U.S. Department of Health and Human Services, the Privacy Rule established for the first time, a set of national standards for the protection of certain health information.
An overarching goal of the Privacy Rule was to ensure that individuals’ health information was properly protected. The rule was designed to be flexible and comprehensive to cover a variety of uses and disclosures that need to be addressed. The rule protects PHI and considers PHI as the following:
Information, including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)
Key Dates in HIPAA History
Security rules surrounding the healthcare industry, its technology and HIPAA compliance can seem overwhelming. Here are some key dates in HIPAA history to note:
- August 1996 – HIPAA Signed into Law by President Bill Clinton
- April 2003 – Effective Date of the HIPAA Privacy Rule
- April 2005 – Effective Date of the HIPAA Security Rule
- March 2006 – Effective Date of the HIPAA Breach Enforcement Rule
- September 2009 – Effective date of HITECH and the Breach Notification Rule
- March 2013 – Effective Date of the Final Omnibus Rule
To learn more about the history of HIPAA and the different rules, visit the U.S. Department of Health and Human Services.
What Impact Will a Hosting Provider Have?
Finding a data center and cloud hosting provider that meets the following HIPAA standards above will allow for you to focus on innovating your healthcare organization to improve patient experience and business efficiency. With the tools listed above, your hosting provider will help to keep ePHI secure and in step with HIPAA standards.
Data center and cloud hosting providers protect your healthcare data in the case of an emergency by acting as a disaster recovery location. Evaluating providers based on their compliance experts, secure infrastructure, experience in the healthcare industry, private cloud offerings and ongoing education and training will ensure your data is safe from a physical or cyber breach.
Ready to Decide?
LightEdge has HIPAA secure data center locations at our Des Moines, Kansas City, Omaha, and newly acquired Austin and Raleigh data center facilities. With LightEdge, you can achieve auditable HIPAA compliance. With a specific background working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet HIPAA requirements.
LightEdge offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our customers. Compliance and security are top priorities to guarantee that your data is protected. While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards. LightEdge is compliant with:
- ISO 27001
- ISO 20000-1
- SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
- PCI DSS 3.2
If you are interested in getting a risk free assessment from our healthcare compliance experts, a tour of any of our HIPAA compliant data centers or to learn more about LightEdge’s compliance offers, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.
- 6 Ways to Noticeably Heighten Healthcare Data Security
- Knowing your Provider is Essential in Compliance as a Service
- Data Center Checklist: 5 Factors for Choosing a Data Center
- How to Develop an Effective Cybersecurity Recovery Plan