The Health Insurance Portability & Accountability Act is the first consideration for any conscientious healthcare organization when considering infrastructure for a web application. After all, they need to know that any protected health information (PHI) – that is, health information of individuals that is protected by the US government through the Department of Health and Human Services (HHS) – is secured when it is stored, processed, or transmitted through the hosting service. HIPAA rules relate to data handling regardless of the party performing the handling; nonetheless, there are questions that you will specifically want to ask when you set up hosting for a web app, or for anything else.
The Business Associate Agreement (BAA) is critical to this discussion because it defines the responsibilities of the two parties in a HIPAA business associate relationship. Plus, it is simply an important aspect of staying compliant with HIPAA. However, simply putting a BAA into effect to solidify your relationship does not mean that the provider is solely responsible for your information and does not mean your data will not be compromised. While you probably know that business associates now have responsibility to adhere to HIPAA just as healthcare companies and other covered entities do, the impact of a breach will often be much more expensive for the CE. Because of that, the BAA is not the only thing you need to worry about when you set up a hosting service – so the questions that you ask a HIPAA-compliant hosting service for your app should go beyond the confines of that agreement.
Due diligence is required – which means asking a lot of questions about the BAA and the company’s policies and technologies. Here are a few questions you can ask your provider when you need HIPAA compliant hosting for a web application. As a whole, they can help you verify that the vendor is truly committed to staying compliant and protecting your patients’ sensitive, confidential records so that your credibility and finances are not at risk.
1.) Will the web app host sign your BAA?
While the BAA is not enough by itself, you need it to be as painstakingly constructed as possible – and that requires the cooperation of the provider (after all, it is an “agreement”). Make sure that the HIPAA hosting provider will sign your BAA; that will involve a review by their attorneys. There may be some negotiation of terms, but you must be sure that any changes do not threaten your compliance, so that you protect yourself again the fallout of a violation.
You especially need to know if the aspects of the BAA that are the most critical to you will be accepted. For instance, some aspects of the agreement may be in the document because they are part of state rather than federal mandates. You simply have to choose a different provider if the one that you are currently reviewing is unwilling to meet your compliance requirements.
2.) What protective steps have been taken with the HIPAA hosting service’s subcontractors?
This question is easy to forget, but there are often subcontractors involved in the IT field. To know that your data is safe, any relevant business associates of the host must sign BAAs as well. Plus, it is important to go beyond the BAA with them and know exactly how your information will be protected.
3.) What specific steps has the company taken that are intended to provide greater security for the data?
No matter how many good things you’ve heard from a provider, the conversation cannot stop at them claiming their HIPAA compliance (or perhaps possessing certification as such). You need to know what technologies the organization will use for your environment and everything else that they will do that is geared toward PHI protection.
4.) Does the hosting provider have data breach insurance in effect?
Since a BAA should pass liability to the provider, the data breach can get expensive for them, as indicated by Becker’s Hospital Review. Their insurance is protection for you.
5.) How will you back up my data?
You need to go beyond backup and ensure that all records are encrypted. Notably, encryption is not required by Health & Human Services (via the Office of the National Coordinator for Health Information Technology, or ONC). However, since it is understood as a best practice, you would have a difficult time defending yourself against negligence. While not stated explicitly, a lack of encryption would suggest that an organization was not “identifying and protecting against reasonably anticipated threats to the security and integrity of the information,” as stated in the HHS’s Security Rule.
Often hosts and other IT providers will promote themselves as HIPAA-compliant – but getting them to sign a BAA is a different matter. The reason some providers will hesitate before signing your agreement is that it involves them taking on additional liability (i.e., by signing the document, they are assigning themselves responsibility for protections they might not be able to deliver or want to deliver at the current price).
6.) Have you had compliance and security professionals audit your deployment to verify that it meets HIPAA parameters?
As Ron Avignone points out in Medical Economics, “most software companies do not have the security and HIPAA expertise to maintain compliance on an ongoing basis” – and the same is true of infrastructure providers. Asking for outside auditors is a way of tapping industry standards to confirm the authenticity of a security and compliance approach.
7.) Is the relationship with the business associate well-defined on all three control levels required by HIPAA – administrative, technical, and physical?
In order to maintain compliance with HIPAA, it is necessary to have strong safeguards that are administrative (such as policies), physical (such as data center protections), and technical (such as encryption). You must maintain compliance in each of these three different directions. A high-quality HIPAA compliant hosting service for your web application will be able to keep you abreast of how they are enforcing strict security standards and maintaining compliance with HHS regulations (particularly the Security Rule), so you can easily understand how you are maintaining compliance in each of the three ways.
8.) Once your agreement with the contractor ends, what happens to your data?
If the information will be deleted, the process that is used must be secure in order to maintain compliance (i.e., it must be “shred”-wiped). Also, even after the agreement is no longer in effect, the BAA must be understood to stay in force through the end of any time they are handling your PHI (including if they are keeping the data simply as backups or for legal purposes).
Experienced HIPAA-compliant web hosting
A BAA exists in order to keep personal health records safe and confidential. Having a BAA in place with a provider is absolutely key; but that document does not necessarily guarantee that your vendor is actually maintaining HIPAA compliance. Because that’s the case, every covered entity must vet different providers to gauge their true level of HIPAA compliance and, in turn, expertise in guiding you forward.
Are you in need of HIPAA compliant hosting for your healthcare web application? HIPAA compliant hosting by Atlantic.Net is SOC 1 and SOC 2 certified, and HIPAA and HITECH audited, designed to secure PHI. See our HIPAA compliant hosting solutions.