The healthcare industry was late to the cloud. The reason for the lateness was the Health Insurance Portability and Accountability Act (HIPAA). HIPAA dictates the rules for storing and transmitting electronic health data. It was established by US Congress in 1996. HIPAA consists of privacy rules, security rules and breach notification rules for health data. Therefore, the cloud had to be ready for HIPAA hosting before the healthcare industry could make a move.
Key Terms Regarding HIPAA Hosting Compliance
The following terms are relevant to understanding HIPAA compliance:
- Health Insurance Portability and Accountability Act (HIPAA): Passed in 1996. A law created in the US to facilitate the sharing of health data in a secure manner.
- Protected Health Information (PHI): Data collected about patients are called PHI. Anyone handling the data has to follow strict rules and protocols to ensure the security and integrity of the PHI data. Electronic protected health information is recognized as ePHI.
- Health Information Technology for Economic and Clinical Health (HITECH): Passed in 2009. Together HIPAA and HITECH determine the process of handling PHI data.
- Business Associate Agreement (BAA): Anyone who handles sensitive PHI data for healthcare is considered a business associate. The contract between the business associate and the customer is the BAA.
HIPAA Compliance for Hosting
HIPAA is a comprehensive piece of legislation that covers a lot of ground. Health and Human Services (HHS) define these rules:
- Privacy Rule: Rules and regulations about the use and disclosure of PHI.
- Security Rule: Rules and regulations about protecting ePHI.
- Breach Notification Rule: Rules and regulation about how to handle information flow after a breach.
The implementation of the HIPAA laws is left to the organization. The organization has to prepare and be audit-ready.
The purpose of HIPAA is to protect the PHI data. The hosting organization will have to comply with the HIPAA rules. There also needs to be an audit trail. The hosting service and the business associate both have to maintain their own log files.
Also, HIPAA hosting service and the business associate are bound by the BAA or Business Associate Agreement. It is a contract between the two parties. The BAA should clarify the responsibilities of each party.
The Shared Responsibility Model
An important point to understand is that HHS doesn’t directly recognize the HIPAA hosting provider as HIPAA-compliant. The compliance is achieved using the shared responsibility model. Responsibilities are divided as follows:
- HIPAA hosting service is responsible for the physical infrastructure and environment according to HIPAA best practices.
- The customer is responsible for managing workloads except for physical infrastructure.
In other words, healthcare customer is responsible for designing and maintaining the application. The HIPAA-compliance of application layer is the customer’s responsibility. Any issues regarding the physical infrastructure will remain the HIPAA hosting services responsibility.
For example, the hosting service will provide vulnerability scanning, anti-virus protection, two-factor authentication to the customer portal, and more. The healthcare customer will be responsible for vulnerability assessment of the application, access control on the application layer, client-side data encryption, and more. Thus, the shared responsibility model is a vital part of the HIPAA compliance review process.
As a result, HIPAA hosting solutions can effectively protect ePHI data. It is a high-quality affordable solution that makes sense for modern healthcare institutions.
Revion Solutions Incorporated has been providing compliance ready solutions for over a decade. Please contact us today to discuss how we can help make HIPAA compliance hosting work for you: