By Adam Stern
HIPAA compliance is the Good Housekeeping® seal for IT organizations serving the healthcare sector.
The quick if not simple answer is yes – but. The HIPAA HITECH audit program analyzes various processes, controls and policies in the healthcare and health insurance arena, in keeping with the Health Information Technology for Economic and Clinical Health (“HITECH”) provisions of the American Recovery and Reinvestment Act of 2009. The audit spells out many of the requirements contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to protect the privacy and security of protected health information.
The federal Office of Civil Rights established a comprehensive HIPAA audit protocol that specifies requirements to be assessed through these performance audits. The audit protocol is organized around modules representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.
HIPAA sets forth a rigorous and demanding regulatory environment, and only a select number of vendors can truly compete in the space, largely because of these data security requirements. But in order for a vendor to say that it’s HIPAA compliant, that provider doesn’t actually have to do anything.
Nothing. Nada. Zilch.
I’ll repeat that: no one forces any provider to submit to a HIPAA audit. For many (I’d say too many), the “business associate agreement” loophole is big enough to drive an ambulance through. A business associate agreement (BAA) under HIPAA is a sort of promissory note that the provider will adhere to the HIPAA law. Agreements are typically vague, however, and open to interpretation.
“With these new regulations in mind, a HIPAA business associate agreement should [emphasis mine] explicitly spell out how a BA will report and respond to a data breach, including data breaches that are caused by a business associate’s subcontractors,” noted Margaret Rouse in TechTarget. “In addition, HIPAA business associate agreements should require a BA to demonstrate how it will respond to an Office of Civil Rights investigation.”
No audit required. In practice, simply signing a BAA isn’t enough. That’s why healthcare providers looking for IT support need to exercise extraordinary due diligence. Some regulatory authorities have made an effort to rein in vendors who sign these agreements, and some standards bodies have, commendably, sought to clarify what the law means and what HIPAA is ultimately trying to accomplish. But nothing has been tested in court. Where does the responsibility lie? With the healthcare provider? With the vendor? Where does the buck stop?
Even with those questions in limbo, healthcare providers are subject to the full extent of the HIPAA law — security, backup, data protection, the entire gamut. And they are required to notify patients if a breach occurs.
While healthcare providers might be capable of doing various techy things on their own – conducting annual HIPAA audits and getting on that test/fix cycle – most would prefer not to do the heavy lifting in-house. Better to screen and select a cloud provider who can do those essential tasks on your behalf, deliverables that can then be dropped into your audit. If that provider’s nodding familiarity with HIPAA doesn’t extend beyond a BAA, however, keep looking. Until the law is thoroughly vetted in court, you, as the healthcare provider, are on the hook. That federal authorities could go after both you and your vendor in parallel doesn’t relieve you of due diligence. The prudent strategy is to partner a vendor who you can validate as fully engaged in HIPAA protocols.
Perhaps owing to whatever legislative sausage-making gave birth to HIPAA, the law gives you no guidance on how to follow it. As noted, third parties have stepped in to assist the technology community, primarily with formulation of the HIPAA HITECH audit, and passing that rigorous test has become the bare minimum for any vendor doing business in the HIPAA space.
While not designed to address HIPAA compliance, Skyhigh Networks’ CloudTrust™ Program (www.skyhighnetworks.com) is a model of what you might call “due diligence by proxy.” Clearly, someone has to do the due diligence – someone needs to look at the provider landscape as a third party and assure a level of security people can count on. A vaccum exists, and it needs to be filled. Audits aren’t enough.
So here’s the takeaway: healthcare providers need to vet cloud vendors on the basis of their ability to deliver real pain relief (health metaphor intended) and clearly show that they have gone the extra mile, to true protection.
That’s the kind of due diligence that third parties need to exercise, beyond the HITECH audit (which, again, doesn’t relieve anyone of liability). For enlightened technology providers, HIPAA compliance should be regarded as a responsibility and, yes, an opportunity — not a burden.
Adam Stern is founder and CEO of cloud hosting provider Infinitely Virtual. Twitter- @iv_cloudhosting