Health Care IT

The Role of Business Associates in HIPAA Compliant Hosting

  • HITECH and the Role of Business Associates
  • Business Associate Definition
  • Examples and Wide-Ranging Scope

HITECH and the Role of Business Associates

A HIPAA compliant system must be designed conscientiously to include the various security and privacy technologies discussed in the above video.

Read More


How to Become HIPAA-Compliant

One of the problems with our increasingly technological world is that the speed at which our devices and services upgrade and make older versions obsolete can be dizzying. It feels like only an instant before the latest smartphone or flatscreen TV is being replaced with the bigger, better, faster model.

The same holds true in the world of hosting, data information, and server management. And while it can be tough to keep up for any type of business, it’s crucially important if your company is involved with health care IT and has to maintain HIPAA Compliance.

There are several aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but as it pertains to health care IT and the focus of this article, HIPAA compliance comes from your company’s ability to adhere to the strict national standards regarding electronic health care transactions, and identifying information for health care providers, employers, and health insurance plans.

As one might imagine with such a large piece of national legislation, there are a myriad of minimums that your company’s systems and operations must meet. And as one might also imagine, understanding and implementing exactly how said systems and operations must operate to be HIPAA compliant can quickly become quite a daunting task. Having a quick, clear, and easy 10-step HIPAA compliance checklist to run through can be a major help, which is we are doing in this article. We will also take a look at a series of hosting questions asked by an Atlantic.net healthcare client interested in learning more about the specifics of compliance.

  • 10-Step HIPAA Checklist
  • Spotlight: HIPAA Technology Provider Questions
  • The Right HIPAA Information Technology Answers

10-Step HIPAA Checklist

If you want to know how to become HIPAA compliant, there are specific standardized technologies that you should have in place to properly protect Personal Health Information, or PHI, and avoid violations. We’ll dive more into the technological side in the spotlight section detailing a conversation with a client below.

In addition to those technical specifications, here are 10 additional actions you want to take as general HIPAA administrative safeguards. Although these tactics should not be considered exhaustive, each one will effectively reduce your liability and make it less likely that you will become a target of the Department of Health and Human Services (HHS):

Step #1 – Create a Security and Privacy Policy

“Healthcare organizations must develop, adopt and implement privacy and security policies and procedures,” said Becker’s Hospital Review. “They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.”

This is particularly important in today’s world, where cybercrime, in the form of brute force attacks, Distributed Denial of Service (DDoS) Attacks, and other forms of hacking have resulted in some of the biggest data breaches in history. And with the recent gigantic Anthem data breach, having air-tight security safeguards in place is paramount, as are having the proper protocols in place in the unfortunate event of a hack or breach.

Step #2 – Name a Privacy and Security Officer

Name one or two people who are knowledgeable on HIPAA compliance requirements for these roles. One of the most crucial aspects of being HIPAA compliant is ensuring that your data remains safe, secure, and most importantly, confidential. It makes sense that the person, or people, in charge of that data is an expert in the field. They can also help you set up air-tight policies (as mentioned in step #1 above) and implement the best possible procedures in case of an attack or system error.

Step #3 – Perform Periodic Vulnerability Reviews

You want to check and test your exposure to risk on a regular basis. If you find anything amiss, of course you need to correct it. Policies should be adjusted based on information from these assessments as well. After all, a chain is only as strong as its weakest link, so while even if the vast majority of your systems and are air-tight, it would only take one small mistake or oversight to cause massive problems. Hackers, cybercriminals, and even inadvertent employee mistakes could all spell major problems and possible violations if not shored up immediately.

Step #4 – Create a Specific Policy for Email

The HHS Office for Civil Rights, or OCR, has stated it wants to see user guidelines that are crafted to the particular situation, as exhibited by specific mobile and email policies. Interestingly enough, it does not state anywhere in the OCR regulations that PHI must only be sent and/or received via encrypted email, but it’s worth pointing out that your email system is HIPAA compliant and with the encryption of all messages. In addition, you can protect yourself from investigations with encrypted email.

In today’s world, email encryption is a relatively fast, easy, and painless process to implement, and many providers will offer it free of charge. It’s very much the time to look into, but if you decide that email encryption is not right for you at this point in time, you must at the very least inform your patients that asking for records through email puts them at risk.

Step #5 – Create a Specific Mobile Policy

Mobile devices are everywhere, and they get more omnipresent each and every year. Every side of the health care world, between providers and patients, uses mobile devices to check email and log into profiles. As such, it will greatly benefit you to create a strong policy to safeguard health data on mobile devices, such as smartphones and laptops, which are particularly susceptible to physical theft. The policy should address also what happens when a new device is added to or removed from the network.

Step #6 – Train Your Staff

While not everyone on your team must be an industry leading expert in the finer technicalities of HIPAA (save those hires for your Security and Privacy Officer positions, as mentioned in Step #2), it will behoove you if your staff is comfortably familiar with the basic parameters of HIPAA. It has been shown numerous times by numerous studies that employees are consistently one of the biggest risks to a company’s cybersecurity – usually through a lack of knowledge of the proper protocols. Nobody wants to be the cause of a HIPAA violation, so it’s in your best interest to provide training to any new people who join your staff and occasional reviews (some say every six months) for continuing employees.

Step #7 – Develop a Privacy Notice

Communication is key, and that goes double for privacy. Having a clear, concise privacy policy is important, as is getting that policy out there for all to see. Make sure that your privacy policy is posted on your website and is easy to find. The same policy should be handed out to patients, and they should sign that they’ve received it. Also, don’t be afraid to view your privacy policy as a living, breathing document – if certain events, either in your company or in the health care industry at large, necessitate the need for changes, update the policy. And when you do, get new signatures from your patients to ensure they understand what’s been updated.

Step #8 – Solidify Business Associate Relationships

Odds are your business isn’t an island – you have a team of business associates that you work with on a regular basis. Even though they aren’t full time employees, you still need to make sure they adhere to any policies you’ve set forth. Harking back to the chain analogy used in Step #3, if your associates aren’t a strong link, it’s a problem. You need to make sure that a strong business associate agreement is signed with all relevant parties – including those that handle PHI, such as shredding companies.

Step #9 – Establish a Protocol for Possible Breaches

It’s critical to have a step-by-step system whenever you think a breach might have occurred. Even the most safeguarded and up-to-date systems are susceptible to breaches, so always view cybersecurity as two sides to the same coin – it’s important to invest and spend time on infrastructure and policies that will help prevent breaches and other forms of attacks, but the flip side is to always know that a breach is always a distinct possibility.

“The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred,” noted Becker’s. “If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.”

Step #10 – Make Sure the Privacy and Security Policies are Followed

Preparation is only half the battle – and important half to be sure, but what good is the best-laid plans if they aren’t followed? Ensuring that they are actively followed is critical. It needs to be a part of your company’s DNA and breathed into each and every operation your company undertakes. In addition to making sure the policies are well-known and followed by all your team members and all business associates, it should also be known that failure to adhere to said policies come with penalties. Make sure the consequences of failing to comply with your HIPAA compliance policies are both well-known and strict enough to ensure your staff does everything possible to follow them.

Spotlight: HIPAA Technology Provider Questions

This section spotlights a recent and actual question-and-answer exchange we had with a prospective healthcare client – we’ve of course anonymized and edited it for privacy. For brevity, we’ll skip the introductions and jump right into the Q&A. We hope this gives you some insight into some of the more technical aspects of HIPAA compliance, and how any company worth your time will have strong answers to each of these types of questions.

Healthcare Client:

Have you been independently audited against the OCR HIPAA Audit Protocol?

Hosting Consultant:

Yes, I have attached our HIPAA audit for your review.

Healthcare Client:

What particular IT services meet HIPAA compliant security standards for protecting PHI?

Hosting Consultant:

The following services fully meet HIPAA complaint security standards with regards to Personal Health Information, or PHI: Fully Managed Hardware Firewall; Encrypted VPN’s; Intrusion Detection System; Fully Managed Daily Encrypted Backup; Private Dedicated Server Environment with Self-Encrypted Storage (Virtualized or Non-Virtualized); and Anti-Virus Software.

Healthcare Client:

Do you have documented policies and procedures?

Hosting Consultant:

Yes, but the Policies and Procedures are Proprietary Information. We only release the HIPAA Audit, BAA, DR Document, and SSAE 16 (SOC 2, Type 1 & 2) audit. (All are attached.)

Healthcare Client:

Are your employees trained?

Hosting Consultant:

Of course.

Healthcare Client:

Do you have a thorough BAA (Business Associate Agreement) with documented and communicated policies?

Hosting Consultant:

Yes, and it is attached for your review.

Healthcare Client:

What is the difference between regular server hosting and HIPAA compliant server hosting (structure-wise)?

Hosting Consultant:

The only fundamental difference is that HIPAA compliant hosting requires an Intrusion Detection System. It also requires all of the services listed above in the question regarding services meeting PHI protection protocols. HIPAA compliant hosting can include a Virtualized Private Dedicated Server environment but it cannot include Public Cloud / VPS hosting services.

Healthcare Client:

Why is the HIPAA compliant server hosting more expensive than regular server hosting?

Hosting Consultant:

Because of the technologies listed above and because you cannot remove any of these items from the hosting platform as you can with a non-HIPAA hosting environment.

The Right HIPAA Information Technology Answers

Every healthcare company must ask for advice when they work with IT providers, since any issues with the provider would pose a risk to their patients’ health information. After all, even going through a minor HIPAA violation can be disastrous to a health care IT organization.

Atlantic.Net is a trusted HIT provider. Our clients trust us because we are experts on the subject and are fully transparent in all communications, as evidenced by this customer testimonial below:

“Atlantic.Net’s reputation for 100% up-time, their secure infrastructure and expertise in Healthcare IT were key components in finalizing our partnership,” said Complete Healthcare Solutions Vice President Joseph Nompleggi.

Feel free to contact us today to see if we can help you meet your HIPAA compliance needs.

By Moazzam Adnan


What is the HIPAA Security Rule? [Safeguard Checklist]

The HIPAA Security Rule is a piece of the Healthcare insurance Portability and Accountability Act, passed by Congress and signed into law in 1996. Here is a little information on the Security Rule and a security checklist so that your organization can quickly and effectively become compliant.

  • HIPAA Security and Privacy Rules
  • HIPAA Security Checklist
  • Get Help

HIPAA Security and Privacy Rules

In 1996, a few pen strokes made a huge impact on the American healthcare industry: President Bill Clinton signed the Healthcare insurance Portability and Accountability Act into law. Title II of HIPAA directed Health and Human Services (HHS) to create a series of guidelines and standards to safeguard patient health data. In turn, HHS developed regulations which are typically called the HIPAA Privacy Rule and HIPAA Security Rule.

Read More


What is HIPAA Compliance?

HIPAA compliance is an attribute of an organization or system that follows the parameters of the Health Insurance Portability and Accountability Act, legislation that specifies the protection of patient files through its security and privacy rules.

  • Not Just Data Privacy: The 5 HIPAA Titles
  • HIPAA Title II Highlights
  • What Can Go Wrong? [Stats]
  • HIPAA Compliant Hosting Requirements

Not Just Data Privacy: The 5 HIPAA Titles

HIPAA compliance is adherence to the laws outlined in the Health Insurance Portability and Accountability Act, US federal healthcare legislation that notably contains rules for security and privacy of patient records. The act, which became law in August 1996 under President Bill Clinton, has five sections – called titles – focused on specific areas:

Read More


Achieving HIPAA Compliance with Mobile Devices

Last year, Google Fit and Apple Health brought health applications into the mainstream. Developers unfamiliar with this space must learn how to maintain HIPAA compliance.

  • Study: Health IT will Change Rapidly
  • Possible PHI Issues
  • Example: Mobile HIPAA Provider Selection Story
  • A Simple and Predictable Plotline

Study: Health IT will Change Rapidly

Two major trends, a boost in cloud adoption among healthcare providers and a drop in the expenses to deploy systems will make a major impact on the American HIT market through 2018, per a whitepaper released last year.

Read More


What are e-Health Applications?

  • What is e-Health?
  • Practical Uses
  • Examples: Broad Types
  • Example: e-Health Application Hosting Story
  • Writing Your Own Story

What is e-Health?

Electronic health, shortened to either e-health or eHealth, is the electronic form of healthcare. The concept electronic health is often used alongside electronic health records (EHRs), as indicated by the national health programs of Australia and Canada. This idea is often discussed in the public sector as a method to improve population health, while the same agencies limit applications with patient privacy and security safeguards (such as HIPAA Title II).

Read More


Healthcare HIPAA API Explained

  • The Rise of HIPAA-Compliant Mobile
  • The Essence of HIPAA Compliance
  • An API as a HIPAA Compliance Tool

The Rise of HIPAA-Compliant Mobile

The third platform of cloud-delivered mobile allows users to pull in data from various locations (whether stored anywhere online or locally) so that they are operating with real-time knowledge. Although all IT decisions must be particularly conscientious in healthcare both because of compliance and the acceleration of hacking, wearables and other smart devices continue to grow in popularity.

Read More


HIPAA Compliant File Storage

How can you take advantage of the incredible power of cloud hosting while still meeting HIPAA data storage requirements at all times?

The best way currently available to store your medical files and share them between various parties is with HIPAA compliant cloud storage. Various cloud apps are designed for filesharing (examples include Box, Dropbox, and Google Drive), which also allows you to back up the files and synchronize data between various devices. However, general technological solutions are not designed for the special case of healthcare – in particular with regard to encryption.

Read More


What Is the Penalty for a HIPAA Violation?

  • Example of HIPAA Violation
  • Legislative Basis
  • Consequences of HIPAA Violations – Civil Penalties
  • HIPAA Criminal Penalties
  • Covered Entities & Individual People
  • “Knowingly”
  • Exclusion & Upholding the KLaw
  • Choosing a Compliance Partner

Example of HIPAA Violation

Those who follow Healthcare IT news will often see stories about large HIPAA settlements by the US Department of Health & Human Services, such as the $4.8 million HIPAA fines against Columbia University and New York Presbyterian Hospital in early 2014. No situation is the same, and not all settlements will be as severe as that one. In the Columbia University case, PHI was actually posted to the public Internet, with patient files accessible directly through search engines.

Read More


What is Protected Health Information?

If you are active in US healthcare, you probably know that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards protected health information, a.k.a. PHI. What is protected health information exactly?

  • Protected Health Information Definition
  • 18 Identifiers of PHI
  • Research Examples of Protected Health Information
  • Partners in PHI

Protected Health Information Definition

What is PHI? The reason that the concept of protected health information (PHI) exists is really to clarify the parameters of HIPAA. It delineates the specific type of data that is protected by the law.

Read More


Stay Connected With Us