For those in healthcare IT, HIPAA has been a major concern since it was passed in 1996. The Health Insurance Portability and Accountability Act has two main sections – Title I and Title II. Title I is about portability. In a nutshell, it deals with individual rights related to health insurance, especially group health insurance when a person is laid off or switching employers.
Title II is the one that is of interest to all healthcare entities, not just insurance companies and HR departments. That section of HIPAA primarily deals with issues of privacy and security.
All of the act has ramifications for many individuals, but Title II has broader applications for the entire medical industry, especially regarding how data is handled. The digital age makes data-handling more critical and, sometimes, complex, than was the case with physical documents. A hosting company defining itself as HIPAA-compliant is specifically referencing the privacy and security provisions established in Title II.
Covered entity versus business associate
The relationship between you and your hosting company regarding HIPAA Server compliance will help you understand what your responsibilities are and what the role of the hosting service is. The rules of HIPAA apply to “covered entities” and “business associates.”
Covered entities – A covered entity, if you are in the healthcare field, is your organization. Covered entities include the following:
- Companies involved in health coverage – health insurance organizations, government services such as Medicaid and Medicare, medical plans provided by private companies to their employees, etc..
- Providers of healthcare services – physicians, dentists, medical practices, pharmacies, nursing homes, etc. (assuming that the practitioner or company deals with electronic medical records, a.k.a. EMR, in ways detailed by standards of the US Department of Health & Human Services).
- Companies holding or transferring data – organizations that serve as clearinghouses of health information, typically transitioning data back and forth between physical and electronic media.
Business associates – The privacy and security rules transition to these parties, such as hosting companies, when any of the covered entities listed above use a third party to assist in any way with medical records and related information. Utilizing a business associate involves the following contractual relationship:
- Business associate agreement – a document completed between the two parties, detailing the role of the business associate related to the data.
- Specific compliance language – terms stating that the business associate must be in compliance with the privacy and security rules of HIPAA regarding the data.
Be aware that the contract is not the only protection for healthcare information related to business associates. These third-party companies are also automatically held accountable for various stipulations listed in HIPAA.
Due to this assumed liability, note that some hosting companies protect themselves by stating outright that healthcare organizations may not use their services for the storage or handling of electronic medical records; whereas others welcome all medical business, having adopted full compliance measures.
HIPAA Web Hosting Compliance
Ask your host: four questions regarding HIPAA compliance
Consider asking a hosting provider the following questions. These questions will help to establish whether or not the host is truly compliant with current HIPAA expectations:
- Have you passed an OCR HIPAA Audit? Since the passage of a related bill called the Health Insurance Technology for Economic and Clinical Health Act (HITECH), covered entities must undergo auditing. If your hosting provider is processing data on your behalf, it should have undergone an audit as well.
- What happens if something goes wrong? Your hosting provider must notify you in a timely manner if there is any data breach. A business associate is held liable for getting you that information promptly so that your organization (the covered entity) can quickly alert any patients whose information was compromised. Ask for the specific policies the company has in place for breaches affecting healthcare accounts.
- What is your policy toward Business Associate Agreements (BAAs)? Make sure that the hosting company has a high degree of familiarity with these contracts and are prepared to sign them promptly. The business associate agreement ensures that the hosting company understands its responsibility to treat patient health information (PHI) with the highest degree of security.
- Are you also compliant with SSAE 16 Type II? Auditing for the rules established by the Statement on Standards for Attestation Engagements 16 goes beyond the requirements of HIPAA, providing you better assurance of security protocols. SSAE 16 both contains stronger, more widespread security guidelines and checks the hosting company’s system over a lengthier time span.
Choosing a HIPAA-compliant hosting provider
As you may have gathered while reading the above, we would not detail the provisions of HIPAA and recommend questions you can use to grill hosting companies if we were not confident in our own services. Some cloud hosting providers struggle with security, but at Atlantic.Net, we are HIPAA Hosting compliant both with HIPAA and with SSAE 16.