Technology service providers who have been marketing their services to healthcare institutions have had to deal with finer details of data privacy norms as prescribed by HIPAA, or, Health Insurance Portability and Accountability Act. Approved companies like cloud telephony providers, electronic health record (EHR) firms, or, SaaS providers are listed as Business Associates by HIPAA. Earlier these companies were required to sign agreements and comply with best practices as well as breach notification procedures. Those who did this honestly and regularly were recognized.
As cloud service providers explode, they will start offering more services and, promise ease of use and enhanced functionality. In addition to standard security, HIPAA compliance may be overlooked in such a situation. Even a few months back, companies were not under the US Department of Health, and, they were not even answerable to them. With the passing of the HITECH Act last September, things have become stricter.
The HHS Office for Civil Rights (OCR) has provided EHR and SaaS providers with numerous reasons to comply with HIPAA. Since OCR is the primary enforcement body HIPAA, there have been many instances of non-compliance which has led to levying of fines on many companies. Millions of dollars have been charged as fines on several organizations and, it is time that service providers take HIPAA compliance seriously.
Preparations for HIPAA compliance
There are two primary things to be considered by the EHR and SaaS companies:
- There is no way a company can escape from the eyes of OCR for failing to protect the PHI as laid down under the HIPAA standards. The OCR has made it amply clear that no organization is small enough for HIPAA enforcement and now that the provision of Business Associates has come into play, OCR would keep a close tab on the cloud providers that endanger PHI.
- The providers will have to worry about the fact that their clients in the healthcare sector will be anxious about the way PHI data is handled in the cloud. Any lapse would hurt their business badly.
Now, as service providing companies start securing their infrastructure, they will find new ways to address HIPAA concerns in a better manner as well as take care of customer concerns too. The fact is that with little care, cloud telephony or SaaS providers will be able to turn their cloud services HIPAA compliant than the on-premise solutions.
Small changes in the architecture could actually make data storage in the cloud more HIPAA compliant. HIPAA hates when the data is stored in an insecure manner. SaaS providers can design their architecture in such a manner that data can never be stored locally on laptops, tablets or other mobile devices that are usually used to avail the data in the cloud. This way, the risks of insecure data handling are mitigated to a large extent.
SaaS providers have to ensure that data is adequately protected within infrastructure and any other enterprise they collaborate with. Data encryption is another important method of securing data on the move, which works in tandem with the infrastructural security offered by the SaaS provider. Log management and data collection should form part regularly scheduled tasks, so that customers as well as auditors are convinced about the efforts being put in by the SaaS provider to meet HIPAA standards. Any loophole must be identified and closed quickly.
Michelle Patterson has been working with telecom companies for over 20 years, and is excited with the new IP/VoIP/Cloud Telephony and other systems flooding the market. She is experimenting with some of the new technologies and is writing in blogs about her experiences.
Hear more on healthcare in the Cloud, at the year’s Cloud World Forum!