Finding HIPAA Hosting Solutions as a Small Business Owner

Operating within the healthcare industry can be challenging. There are many moving parts that must be accounted for, whether you’re a new startup firm or a large network of hospitals. When most small business owners are looking for hosting solutions, the only concerns are cost and the capability of the hardware to meet the needs of a website. The options are endless when it comes to finding simple hosting. When it comes to firms in the medical sector, there are special considerations to be had.

Your hosting options are significantly narrowed when looking for HIPAA-compliant hosting. Small business owners working in healthcare must seek out hosting companies that specialize in HIPAA compliance. Relatively speaking, few hosting companies can provide this service because of what it entails. Powerful hardware is just one part of the equation. There must also be a long list of security measures put in place to protect sensitive data. This strict set of regulations is the reason why you can’t trust your hosting with just anyone. It’s also why many hosting companies can’t offer this service and why trying to establish local infrastructure to handle these duties isn’t the best option. Part 2 of this document released by the SANS Institute delineates what is required at the local level to remain compliant with HIPAA regulations.  Maintaining HIPAA compliance at the hardware level is cost-prohibitive for most firms and a host is required.

Finding a hosting provider that can meet your organization’s needs can seem daunting, but there are a number of things to be aware of when seeking out a HIPAA-compliant hosting solution. Here are some general guidelines to keep in mind when looking for the right hosting solution for your business.

Does HIPAA hosting make your business HIPAA compliant?

To start, it’s important to note what keeps your organization compliant with HIPAA regulations. Many make the mistake of assuming that because your hosting solution meets compliance standards, then your organization is compliant as well because your data is being stored and transferred securely online. Unfortunately, that is only part of the story.

Many business owners, especially at small firms, focus on the technical aspect of compliance rather than the fact that HIPAA regulations are really a set of organizational guidelines with a technical component. Consider these HIPAA compliance myths that Derrick Wlodarz debunks for Beta News. While you need to be able to trust that your host will offer the security features needed to keep your server within regulations, there are plenty of things that need to be implemented locally at both a technical and personnel level. Data handling by employees is especially important. Limiting access and ensuring secure transfer of sensitive data within the office is just as important as making sure your hosting solution has all the required security protocols in place. Your organization will also need a full disaster recovery plan to make sure that sensitive data is recoverable in nearly any scenario.

Once you’ve established that your local hardware and organizational processes are compliant with HIPAA standards, then you can concern yourself with what it is your host must provide to help you remain in compliance.

What makes a hosting solution HIPAA compliant?

The U.S. Department of Health and Human Services has outlined what kind of security measures need to be in place when it comes to your organization’s IT. But, to put it succinctly, here are some of the features your hosting solution needs to have to be HIPAA compliant. Many of these features pertain to the integrity of sensitive patient records and ensuring that they cannot be viewed or obtained by unauthorized parties.

A fully managed firewall needs to be put in place to prevent unauthorized access to the server and identify threats. It’s important to recognize that the “fully managed” descriptor is key. While a firewall, in general, is a good thing to have when talking about any kind of IT solution, a managed one is what satisfies the need for proper implementation, monitoring, and timely updates.

To go along with the need for a firewall, a separate intrusion detection system must also be in place. An IDS covers ground a firewall cannot. An IDS can identify a breach after it occurs and notifies the administrator of unusual activity within the system, while a firewall is an initial barrier.

The hosting environment must also be encrypted, use a VPN, and have an SSL in place. This ensures that any data that is transferred cannot be read by an unauthorized party. Again, these are all layers of security that offer protection through redundancy. If one layer somehow fails or is breached, the others can still offer the necessary protection so patient records, for example, are not compromised.

The hosting environment must also undergo regular scanning for threats. This can take the form of vulnerability scans and the use of anti-virus software.

What other assurances from the host are needed?

The host you use must meet all the security requirements necessary. One major detail that must be present in order to be a truly compliant host is the use of a business associate agreement. What this does is it addresses the responsibilities of your host, what is provided, what is not, and a guarantee that the records your organization will be keeping with or transferring to the host will not be accessed inappropriately. It also states how the relationship between both parties will be disclosed. To put it simply, this contact acknowledges that your hosting company has a responsibility to your organization and that your hosting environment will remain HIPAA compliant.

Additionally, seeing evidence that your host has been audited by third parties and are verifiably compliant is important.

What are the risks involved if you’re not compliant?

Finally, what does not being in compliance mean for your business? The reason why HIPAA compliance causes so much concern is that the costs of not operating within regulations can be staggering. The Department of Health and Human Services’ Office for Civil Rights can fine organizations found to not be compliant up to $1.5 million. That’s just the noncompliance penalty. In the event of a data breach, it’s rare for the only cost to be a fine. Take Anthem, for example: while your firm may not be anywhere near their size, their data breach ended up costing them around $100 million. Depending on the size of your business, it may be impossible to recover the costs associated with a security breach.