Every healthcare organization knows about the importance of the Health Insurance Portability and Accountability Act of 1996. That law has of course been updated over time. The most recent change has been the HIPAA Omnibus Final Rule, which went into effect September 2013.
What’s the context of the Final Rule?
Although the Final Rule creates revisions to HIPAA, it actually was created in response to the passage of HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009). The latter law made a major impact on healthcare by incentivizing a transition to EMR (electronic medical records). Once the federal government was officially recommending and promoting the use of electronic data for patients, it made sense to re-explore the security and privacy parameters of HIPAA to make sure the protections were extensive enough to fit the current landscape.
The Final Rule may sound relatively simple, but like any of the other healthcare laws, it created a seismic shift in the healthcare industry. As the law was about to go into effect, various security and infrastructure pundits offered guides on how to adapt. One of the best was from Neal Bradbury, writing for managed services informational site MSPmentor last August.
Three quick ideas for HIPAA adaptation
Here are Bradbury’s three broad tips for adapting to the Omnibus Rule and maintaining HIPAA compliance in 2014 and beyond:
1. Choose shared liability.
One thing that changed with the Final Rule is that business associates now are treated as covered entities, so a hosting company or similar third-party organization (including shredding companies, billers, etc.) is expected to maintain the parameters of the law as well. However, some companies don’t entirely understand the law. It’s up to you to select a knowledgeable, credible organization and make sure a BAA (business associate agreement) is in place.
Bradbury notes that some cloud healthcare services have told customers that they don’t need these agreements because cloud providers are considered a “conduit exception” just as postal companies are. Clearly data networks are more than simply a conduit, so that perspective is false – as indicated in June 2013 by Kimberly M. Wong of Baker & Hostetler LLP.
Before choosing a HIPAA data service provider of any type, or anyone that handles your PHI (protected health information) in any way, verify that what they are providing is a reasonable fit for a healthcare setting. Once you have a general sense that an organization is healthcare-ready, look at the parameters of the BAA they offer specifically so you know what they contractually have to do to safeguard patient data.
As Bradbury notes, the BAA “should spell out several ‘What if?’ Scenarios, ranging from data breaches to the provider going out of business.” Look at the contract carefully. Clarify anything that needs clarified. Don’t feel that you are stuck if you don’t like the agreement. You can always go somewhere else. Make sure that significant responsibility is assumed by the IT vendor.
2. Side with backup and security expertise.
The healthcare industry currently feels pressure from all sides: data must be widely available to take advantage of current technology, but regulations require firm controls. Even though the law is strongly worded, 19 million patients and healthcare providers were influenced by loss or theft of data between 2011 and 2013. Here are a few considerations regarding strong backup and security:
- What are your current backup policies? Are you encrypting? Are you backing up manually? Bradbury notes that manual backups “almost always lead to backup inconsistency.” You want a provider with a strong system in place, specifically tailored to healthcare, such as our AES-256 (Advanced Encryption Standard-256) encrypted HIPAA Backup Manager.
- What about disaster recovery? Do you currently have NAS (network attached storage) implemented at your facility? Do you have a DR plan (disaster recovery plan) related to that device? Is all your information automatically backed up to a data center that’s in a safe location at a distance from your headquarters (in the event of disaster at a single location)?
- How is everything secured at the data center? You need to be concerned with business associate treatment of data in two primary ways: encryption and security mechanisms of the facility. It’s noteworthy that Bradbury specifically recommends AES-256, the same technology the federal government employees to safeguard top-secret files, and SSAE 16 (Statements on Standards for Attestation Engagements 16 http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00801.pdf) certification – both comprehensively implemented in every Atlantic.Net HIPPA Compliant Server solution.
3. Prioritize recovery time.
You should have a sense that multiple redundancies are implemented at a provider, that crashes are incredibly unlikely. The next thing you want to know is if there is systemic failure, how quickly can you get everything back up and running? As Bradbury notes, “This is where the conversation gets real.”
Recovery can be complicated or simple, depending on what solution you’re using. Your data may be safe, but it could take up to 72 hours to recover from failure at some facilities, assuming they need to get new hardware, install drivers and an operating system, and transfer in all necessary files.
Why a healthcare specialist?
Bradbury is adamant that you do not want to choose a provider with weak healthcare experience. Atlantic.Net is at the forefront of this industry. Complete Healthcare Solutions chose us because of our “secure infrastructure and expertise in Healthcare IT.” Talk with us, and you will become even more confident that we are the right choice in this and Cloud Hosting.