Every healthcare organization knows about the importance of the Health Insurance Portability and Accountability Act of 1996. That law has, of course, been updated over time, and the most recent change has been the HIPAA Omnibus Final Rule, which went into effect in September 2013.
What’s the context of the Final Rule?
Although the Final Rule creates revisions to HIPAA, it actually was created in response to the passage of HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009). The latter law significantly impacted healthcare by incentivizing a transition to EMR (electronic medical records). Once the federal government was officially recommending and promoting the use of electronic data for patients, it made sense to re-explore the security and privacy parameters of HIPAA to make sure the protections were extensive enough to fit the current landscape.
The Final Rule may sound relatively simple, but it created a seismic shift in the healthcare industry like any other healthcare law. As the law was about to go into effect, various security and infrastructure pundits offered guides on adapting. One of the best was from Neal Bradbury, writing for managed services informational site MSPmentor last August.
Three quick ideas for HIPAA adaptation
Here are Bradbury’s three broad tips for adapting to the Omnibus Rule and maintaining HIPAA compliance in 2014 and beyond:
1. Choose shared liability.
One thing that changed with the Final Rule is that business associates are now treated as covered entities, so a hosting company or similar third-party organization (including shredding companies, billers, etc.) is expected to maintain the parameters of the law as well. However, some companies don’t entirely understand the law. It’s up to you to select a knowledgeable, credible organization and make sure a BAA (business associate agreement) is in place.
Bradbury notes that some cloud healthcare services have told customers they don’t need these agreements because cloud providers are considered a “conduit exception” just as postal companies are. Clearly, data networks are more than simply a conduit, so that perspective is false – as indicated in June 2013 by Kimberly M. Wong of Baker & Hostetler LLP.
Before choosing a HIPAA data center of any type, or anyone that handles your PHI (protected health information) in any way, verify that what they are providing is a good fit for a healthcare setting. Once you have a general sense that an organization is healthcare-ready, look at the parameters of the BAA they offer specifically, so you know what they contractually have to do to safeguard patient data.
As Bradbury notes, the BAA “should spell out several ‘What if?’ Scenarios, ranging from data breaches to the provider going out of business.” Look at the contract carefully. Clarify anything that needs clarifying. Don’t feel that you are stuck if you don’t like the agreement. You can always go somewhere else. Make sure that the IT vendor assumes significant responsibility.
2. Side with backup and security expertise.
The healthcare industry currently feels pressure from all sides: data must be widely available to take advantage of current technology, but regulations require firm controls. Even though the law is strongly worded, 19 million patients and healthcare providers were influenced by data loss or theft between 2011 and 2013. Here are a few considerations regarding strong backup and security:
- What are your current backup policies? Are you encrypting? Are you backing up manually? Bradbury notes that manual backups “almost always lead to backup inconsistency.” You want a provider with a robust system in place, specifically tailored to healthcare, such as our AES-256 (Advanced Encryption Standard-256) encrypted HIPAA Backup Manager.
- What about disaster recovery? Do you currently have NAS (network-attached storage) implemented at your facility? Do you have a DR plan (disaster recovery plan) related to that device? Is all your information automatically backed up to a data center that’s in a safe location at a distance from your headquarters (in the event of a disaster at a single location)?
- How is everything secured at the data center? You need to be concerned with the business associate treatment of data in two primary ways: encryption and security mechanisms of the facility. It’s noteworthy that Bradbury specifically recommends AES-256, the same technology the federal government employees to safeguard top-secret files, and SSAE 16 (Statements on Standards for Attestation Engagements 16 http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00801.pdf) certification – both comprehensively implemented in every Atlantic.Net HIPAA Compliant hosting solution.
3. Prioritize recovery time.
You should have a sense that multiple redundancies are implemented at a provider, that crashes are incredibly unlikely. The next thing you want to know is if there is systemic failure, how quickly can you get everything back up and running? As Bradbury notes, “This is where the conversation gets real.”
Recovery can be complicated or straightforward, depending on what solution you’re using. Your data may be safe, but it could take up to 72 hours to recover from failure at some facilities, assuming they need to get new hardware, install drivers and an operating system, and transfer in all necessary files.
Why a healthcare specialist?
Bradbury is adamant that you do not want to choose a provider with weak healthcare experience. Atlantic.Net is at the forefront of this industry. Complete Healthcare Solutions chose us because of our “secure infrastructure and expertise in Healthcare IT.” Talk with us, and you will become even more confident that we are the right choice in this and VPS Hosting.