Guest post by Scott Walters, client services, INetU.
Whether they are cloud providers, EHR services firms or SaaS providers, technology companies that market to healthcare organizations are considered “business associates” under HIPAA. In the past, that meant customers often asked them to sign agreements assuring that they were employing best practices and would provide breach notifications to help customers maintain compliance.
As of September 13, 2013. however, changes to the guidelines were implemented that mean technology providers are now directly liable to the U.S. Department of Health & Human Services (HHS) for securing any PHI that they’re entrusted with. In addition to the increase in accountability, this first-hand responsibility also brings technology providers under the threat of fines that can now reach well into the millions of dollars.
The Cost of a Breach
The HHS Office for Civil Rights (OCR), the main enforcement body for HIPAA, has been gradually increasing fines for organizations that violate HIPAA compliance. The penalties have totaled well into the millions, with several organizations in the past few years receiving fines in excess of $1.5 million from OCR. In fact, according to data from the Department of Health and Human Services, HIPAA-covered entities and now business associates have paid more than $18.6 million to date to settle alleged federal HIPAA violations with $3.7 million of that coming from organizations in the last year alone. On top of this, there are often state and private legal settlements involved.
The Massachusetts Eye and Ear Infirmary (MEEI) is among the organizations that have experienced dramatic penalties firsthand, incurring fines of $1.5 million in 2012 after the theft of a laptop from an MEEI doctor who was traveling to Asia ended up exposing PHI. Blue Cross Blue Shield of Tennessee also paid $1.5 million in the same year following a breach of 1 million patient records stemming from the theft of 57 unencrypted hard drives from a leased training facility.
These two examples not only show the potential cost of a breach, they also demonstrate another quality that reaches across many of the violations to date – the fact that many of the biggest healthcare and HIPAA breaches are caused by unencrypted data and local storage of PHI. As technology providers offer services to manage this type of data, the onus to meet HIPAA regulations is more frequently falling on their shoulders. The upside to this is that, with some forethought, SaaS and EHR providers have the opportunity to make their cloud services even more HIPAA ready than their customers’ on-premise solutions.
Building the Cloud for HIPAA Compliance
The advantage that SaaS providers have when it comes to HIPAA compliance rests primarily in their ability to control cloud architecture. With insecure local storage of information serving as one of the main sources for HIPAA breaches, SaaS providers have the opportunity to eliminate many compromises by designing their architecture to inhibit local storage of PHI on the devices used to access that information in the cloud.
For this solution to work, SaaS providers must have adequate security measures within their own cloud infrastructure, and strong encryption for data-in-motion. This means classifying customer data and segmenting networks and systems containing sensitive PHI away from lower-risk parts of their infrastructure. Technology providers should also be instituting the strongest forms of encryption on these sensitive PHI databases, and ensuring control over who can access the information – both within their healthcare clients’ organizations and with the administrators at their own company via strong privileged access controls.
Just as important as ensuring this level of security is the ability to log and report on data to prove compliance. SaaS providers must offer their customers strong and flexible access control connectors so they can know who is looking at what data, and should have some means of collecting their logs in order to demonstrate compliance for both clients and auditors.
Maneuvering the intricacies and nuances of the data privacy provisions to achieve HIPAA compliance may seem daunting for busy SaaS and EHR providers, but there are a number of resources available to help guide them through the process.
For more technological and tailored guidance, hosting providers can often provide counsel on cloud architecture for SaaS and EHR companies. Far from the early days of straight technology provision, experienced hosting providers today are well acquainted with HIPAA and HITECH requirements and are able to help technology providers comply with regulations so they can focus on other aspects of growing their business.
However, not all hosting providers are created equal. When choosing a hosting provider to work with, SaaS and EHR companies should inquire about its network security and network controls, patch management services for hosted assets, systems and applications monitoring and reporting capabilities in case of an audit. In addition – particularly for smaller businesses or those with over-burdened internal resources – SaaS and EHR providers should ask about hosting companies’ teams’ expertise in HIPAA, willingness to provide counsel and how involved they would be willing to get in the case of an OCR audit.
More than 30.6 million individuals have had their PHI compromised in a large HIPAA privacy or security breach to date, and for the companies looking to provide technology to the healthcare industry, few things are more frightening than the idea of finding that they’re the ones liable in a breach. With proper architectural changes however, SaaS and EHR providers have an opportunity to turn liability into a new security competitive advantage and establish new streams of revenue for their business.