A HIPAA compliant client portal must secure patient information – which is why a custom HIPAA compliant portal can be an especially delicate prospect. Below, we explore a recent request our sales team received for such a portal, and how to go about meeting the requirements for a HIPAA compliant client portal.
Client Portal Solution Request for Atlantic.Net
A healthcare professional was researching a client portal solution for her organization. She was setting up a one-stop shop for each of the client facilities through which all users could access a shared docs area, a secure document portal, a navigation area for online resources, and other tools. The executive wanted to build a system that would include content/version management and that could reflect any modifications immediately across several different sites.
The healthcare pro needed the software within the portal to be accessible from mobile devices in any location, with dozens of individuals needing to be able to access it through their tablets or smartphones.
She also wanted to be able to take advantage of cloud backup, storing an additional copy of the files from the on-premises computers in the cloud.
The researcher needed a HIPAA compliant server to back this portal environment – which is why they contacted us.
Getting HIPAA-compliant infrastructure is critical. To maintain full compliance, you need to understand the law and take steps yourself to adhere to its standards. To properly safeguard the data within your IT systems, the key concern is the Security Rule. These steps will help you keep your data safe within a healthcare portal while also underscoring key elements of HIPAA for any times that you want to set up hosting. Note that while some points are framed in terms of cloud, they largely apply to the provision of any third-party information technology.
Know the Security Rule.
Your key concern when setting up an environment for a HIPAA compliant portal – including the HIPAA audited data center in which it is hosted – is the parameters of the Security Rule. A primary objective of the Security Rule, according to the HHS, is to give healthcare organizations access to modern technologies while also protecting patient health privacy.
Being aware of the scope of the Security Rule has become a broader concern over the years. Originally, the only organizations that had to worry about the Security Rule were healthcare providers, plans, and data clearinghouses. However, in 2009, legislation was passed called the Health Information for Economic and Clinical Health Act (HITECH) that also made the business associates of HIPAA covered entities liable for meeting the Security Rule.
The Security Rule is designed to safeguard electronic protected health information (ePHI), which is individually identifiable health data that an organization creates, maintains, receives, or sends electronically.
The Security Rule dictates that there should be protections in place physically, technically, and administratively so that electronic PHI is kept safe. Healthcare plans, providers, and clearinghouses have to do the following:
- Make sure that all the protected health data they create, store, receive, or send is available, uncorrupted, and kept private.
- Locate and set up defenses against any elements of the environment that could sabotage the integrity or security of data.
- Set up protections so that uses or disclosures that are foreseeable and are not allowed under the law do not occur.
- Make sure that everyone on staff stays compliant with HIPAA.
Have a strong business associate agreement in place.
You certainly need to have a BAA in place when a cloud service provider (CSP) such as a hosting service is creating, receiving, sending, or storing confidential health data based on your agreement with them.
Since cloud has become so prominent, the HHS has specifically released guidelines for cloud.
The HHS considers the use of cloud solutions for the processing and storing of electronic protected health information (i.e. to build any solutions that you need to be HIPAA-compliant) with cloud components as HIPAA-compliant. Again, the key concern is that you have a BAA in place so that there is an understanding of all responsibilities (i.e. whether it is yours, theirs, or both) to take care of aspects of management related to handling sensitive health data. Beyond designating who is in charge of what safeguards, the BAA also denotes what health record use and disclosure is allowed and demanded. The nature of this agreement will vary a bit based on what types of services are being performed.
Understand the environment.
When engaging an organization such as an infrastructure provider, in which you are using a service that is not just entirely behind the scenes but behind lock and key in a facility that few people ever enter, it seems almost impossible to conduct true due-diligence. This line is relatively illuminating from the HHS: “A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate BAAs.”
All organizations that are involved in any manner in the handling of federally safeguarded health data, whether healthcare is their core business or not, should perform risk analyses at routine intervals so that they can determine and study what elements of the environment might pose a fair risk to their ability to keep sensitive data from getting into the hands of unauthorized parties. If you are really feeling masochistic and want to look at the federal law, you can “check out” 45 CFR §§ 164.308(a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502.
HIPAA and HITECH, the original source documents:
- See the full text of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) here.
- See the full text of the Health Information for Economic and Clinical Health Act of 2009 (HITECH), part of the American Recovery and Reinvestment Act of 2009 (ARRA), here (scroll to Title XIII – HEALTH INFORMATION TECHNOLOGY).
The HHS guidelines explicitly state that private, public, and hybrid clouds, along with any other types (e.g. community) are acceptable models through which to maintain HIPAA compliance. However, the BAA must be there. Also, it is important to stress that the HHS promotes flexibility but also awareness of the specific situation – noting that the model that is implemented may have an impact on the way that risk is assessed and managed – in turn influencing the language of the BAA.
Inspect the Service Level Agreement (SLA).
Keep in mind that the business associate agreement does not need to include all aspects of the relationship with the provider – nor should it. The SLA is the place to talk about certain aspects of the service that will be provided that have more to do with business needs but could also be key to maintenance of your compliance. An example is language within an SLA that discusses:
- Retention, use, and disclosure constraints;
- Requirements in terms of security parameters;
- The method by which all information within the system will be sent back to you if you decide to leave the service;
- The methods and plans used for data recovery and backup, sufficient for you to be able to know what to do if you experience any emergency scenario, such as ransomware events;
- The reliability and availability of the system.
When you decide to go into an agreement within a cloud service provider and sign a service level agreement, you need to make sure that the SLA is parallel or stronger than the needs of HIPAA and the terms of the BAA. Your organization (whether you are a HIPAA covered entity or a business associate) must be certain that the contract never forbids you from being able to access your data at any point. If a vendor does not properly supply that access, they are in violation according to these passages: 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1) (as discussed by the HHS here).
Your HIPAA-compliant portal hosting
Are you in need of a HIPAA-compliant portal, or do you otherwise need infrastructure to handle ePHI for your organization? HIPAA Compliant Hosting by Atlantic.Net™ is SOC 1 & SOC 2 certified and HIPAA & HITECH audited, designed to secure and protect critical data and records. See our HIPAA-Compliant Hosting Solutions.