If you are a business operating in the healthcare industry in the United States, you are subject to guidelines defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The act is designed to protect the privacy and security of physical and electronically transmitted protected health information (PHI) and (ePHI).
Many small and medium-sized businesses that process healthcare data and ePHI do not have the necessary in-house resources to develop and maintain a HIPAA-compliant infrastructure. To achieve HIPAA compliance, these organizations often engage third-party, public cloud service providers (CSPs) to address their server hosting requirements.
Working with a third party is an effective strategy as long as the selected provider can deliver a hosting environment that complies with HIPAA guidelines. Following are some of the ways to determine if a CSP can successfully furnish HIPAA-compliant infrastructure.
Covered Entities and Business Associates
Two terms are important to understand when discussing companies working with third parties to achieve HIPAA compliance.
- Covered entities (CE) are the healthcare providers, health plans, and healthcare clearinghouses that need to comply with HIPAA regulations.
- Business associates (BA) are individuals or companies that perform functions or activities for covered entities involving the use or disclosure of protected health information.
A CSP that provides server hosting for a covered entity is the entity’s business associate. Covered entities are responsible for obtaining assurances that the business associate is taking the necessary steps to protect ePHI. This is often accomplished through a formal Business Associate Agreement (BAA) between the parties.
The privacy and security of patients’ ePHI is a covered entity’s responsibility. Mistakes and oversight made by a business associate can put ePHI at risk and threaten a covered entity’s ability to maintain HIPAA compliance. For this reason, it’s important to check if a CSP is providing server hosting that is compliant with HIPAA standards.
What to Look For in HIPAA-Complaint Server Hosting
HIPAA compliance requires CEs and BAs to implement the administrative, physical, and technical safeguards defined in the HIPAA Security Rule. These safeguards are in place to protect the confidentiality, integrity, and security of ePHI.
To comply with the Security Rule, CEs need to:
- Ensure the confidentiality, integrity, and availability of the ePHI they process, store, or transmit;
- Identify and protect against reasonably anticipated threats to ePHI;
- Protect against unauthorized use or disclosure of ePHI;
- Ensure compliance by their workforce.
Following are some of the most impactful technical aspects of a HIPAA-compliant server hosting infrastructure that address the safeguards defined in the HIPAA Security Rule. CSPs being considered to supply compliant hosting need to have all of these elements in place.
- Security management process – The CSP needs to have a process in place to analyze potential risks to ePHI and implement the appropriate security procedures to minimize vulnerabilities and risks. Periodic assessments of the security policies must be conducted to identify emerging issues that need to be addressed.
- Information access management – Access to ePHI should be restricted to those individuals that need access to perform their job or role.
- Workforce training and management – A CSP that is delivering HIPAA-compliant hosting needs to provide training to its workforce that interacts with ePHI. Employees need to be supervised and appropriate disciplinary actions need to be taken for violations of security policies.
- Facility access – Physical access to systems containing ePHI needs to be limited while ensuring access for authorized entities.
- Workstation and device security – The CSP must have policies in place that ensure the appropriate use of workstations and electronic media. This includes the secure disposal of media containing ePHI.
- Access controls – Procedures must be in place that only grant access to ePHI to authorized individuals. This includes measures such as Identity and Access Management (IAM) to keep unauthorized users from using ePHI. It also includes protecting the network with reliable firewalls to keep intruders away from sensitive data.
- Audit controls – Audit controls must be implemented to log access to software and hardware items associated with ePHI. These logs must be analyzed to determine if there were attempts at unauthorized access.
- Integrity controls – a CSP needs to have policies in place that ensure the integrity of ePHI and that it is not altered or destroyed.
- Transmission security – All ePHI transmitted over a network needs to be secured. Typically, this is accomplished by encrypting the data before transmission, and ideally, encrypting ePHI at all times.
CSPs should be able to demonstrate the ways they have implemented these safeguards to assure a CE that they can provide a HIPAA-compliant server hosting environment.
How CSPs Demonstrate Their Ability to Provide HIPAA-Compliant Hosting
Cloud service providers can demonstrate their readiness to provide HIPAA-compliant hosting by obtaining multiple certifications and passing audits that test their compliance standing. Following are some of the specific items to look for in a CSP.
- The primary method CSPs have of assuring customers that they can deliver HIPAA-compliant hosting is to enter into a business associate agreement. This agreement defines the CSP’s responsibilities in protecting the covered entity’s ePHI assets. CSPs that are confident they can deliver a compliant infrastructure will have no problem signing a BAA.
- A CSP that advertises its ability to provide HIPAA-compliant hosting should have successfully passed HIPAA and HITECH audits by reputable and independent third parties. This can include an official HIPAA audit conducted by the Department of Health and Human Services Office for Civil Rights (OCR).
- SOC2 and SOC3 Type II certification indicates that a CSP has the necessary security procedures in place to comply with HIPAA regulations. This certification ensures that reliable and managed firewalls as well as encrypted VPNs are implemented. Intrusion detection and threat prevention solutions must also be used to secure the environment.
Red Flags to Avoid When Looking for HIPAA-Compliant Hosting
The following red flags should be avoided or treated with extreme caution when searching for a HIPAA-compliant server hosting option. It’s likely to be in your company’s best interests to look elsewhere if prospective CSPs demonstrate these deficiencies.
- The absence of a Business Associate Agreement – CSPs that will not enter into a BAA with the covered entity purchasing their services should immediately be eliminated from consideration. Signing a BAA is a basic requirement that should be part of all competent service providers’ offerings.
- Limited experience in the healthcare field – Providing HIPAA-compliant infrastructure involves a lot of interconnected moving pieces. CSPs with limited experience may not be able to meet the stringent demands of HIPAA compliance.
- Lack of certifications or security audits – A reliable CSP should be able to demonstrate their ability to provide HIPAA-compliant server hosting with the certifications and audits discussed previously in this article.
Covered entities need to research the prospective BAs that will provide HIPAA-compliant server hosting. It’s essential to avoid the red flags discussed above and look for a CSP that can demonstrate its experience and expertise in providing and maintaining infrastructure that complies with HIPAA regulations. It may be tempting to look for the least expensive server hosting provider, but that can wind up costing you much more in the long run.
Make sure you have a reliable business associate that will keep your ePHI safe by following HIPAA guidelines. Your company is responsible for the security of the ePHI you entrust to a CSP, so be sure you are working with one that will protect these valuable resources.
Robert Agar is a regular contributor and blogger for Atlantic.Net living in Northeastern Pennsylvania who specializes in various information technology topics. He brings over 30 years of IT experience to the table with a focus on backup, disaster recovery, security, compliance, and the cloud.