Achieving HIPAA Compliance: IT’s Indispensable Role
By Adam Stern | Health IT Outcomes
In my view, the IT vendor’s proper role is to showcase the powerful economic rationale for those in healthcare to get out of the practice of buying/maintaining hardware that is obsolete practically before the paint is dry. Vendors must also set an example through practical, customer-centric initiatives designed to simplify the cloud for these organizations — things like “onboarding” services, aimed at eliminating the fear factor (and the “how do we do this?” factor) from the cloud migration process.
The cloud may be easier and more affordable than advertised but it isn’t free. Still, compute horsepower is finally a virtual — or, perhaps more appropriately, a virtualization — bargain. Today, it’s entirely possible for a healthcare provider to spend $10K a month and tap enough compute power to drive a 1,000-user organization, even if the office or clinic is just a fraction of that size. That’s less than the cost of hiring a single engineer.
The market is now awash in Infrastructure as a Service (IaaS) tools and technologies, empowering healthcare organizations that may lack traditional IT resources to still benefit from remarkably robust products and platforms. Savvy virtualization providers have already done the heavy lifting for some healthcare organizations, with fully HIPAA-compliant solutions that they can deploy largely on their own. Indeed, IaaS providers are ideally positioned to enable healthcare organizations to get — and stay — HIPAA compliant.
The IaaS model represents the surest way for medical offices of modest size to remain both fully HIPAA compliant and free of IT providers out to sell more than you need. IaaS is holistic, accommodating growth (and attendant needs for higher performance) while providing users with more than adequate headroom. That’s especially relevant in an environment as sensitive and highly regulated as HIPAA hosting.
IaaS rejects the notion that the cloud is strictly about hardware. Instead, the IaaS model is increasingly focused on application delivery. No matter what application a healthcare organization is using, an experienced IaaS provider should know how to deliver that app. Every HIPAA hosting plan should be designed to deliver what medical offices need, and it should never be necessary to build from scratch.
Certainly, IT providers and healthcare providers share a common interest in breach-free cloud computing. A recent study by the law firm Baker Hostetler revealed that more healthcare data breaches occurred in 2015 than any other type of data security event. The report agrees with previous analyses indicating that healthcare is consistently one of the sectors most affected by privacy and security violations.
Violations of HIPAA, the Health Insurance Portability and Accountability Act of 1996, are especially difficult to detect and potentially calamitous because of that difficulty. But healthcare providers and IT providers have distinct roles to play — and getting the lines of demarcation correct is essential for both.
Every upstream IT vendor (or even sub-vendor) that has access to patient data needs to sign a business associate agreement (BAA) in order to be in the HIPAA food chain. A BAA under HIPAA is a sort of promissory note the IT provider will adhere to the HIPAA law. But a BAA doesn’t compel compliance or insulate IT providers from liability or responsibility — that’s why healthcare providers looking for IT support need to exercise extraordinary due diligence in selecting a technology partner. When an IT provider reads a BAA, it’s striking how generic the document is. The things a BAA mandates that an IT vendor do are quite limited. Ultimate responsibility for data privacy falls to the healthcare provider, not the IT provider. At most — in most circumstances — IT providers are liable for breach notification and keeping data absolutely confidential.
As of right now, there’s a persistent lack of clarity around HIPAA, and nothing has been tested in court. The fact is “HIPAA compliance” comes with disturbingly few obligations. Perhaps owing to whatever legislative sausage-making gave birth to the law, HIPAA offers no guidance on how to follow it.
The real question is how does an IT provider prevent a breach in the first place? The law doesn’t spell it out. There is, of course, a new cottage industry in third parties (non-profit associations and for-profit companies) that sell products and services that “enforce” HIPAA compliance, but none has the imprimatur of the federal government, and to date, nothing has been tested in court. And that means “buyer beware” should be the order of the day: Hospitals and other healthcare organizations need to be mindful when they select an IT provider, because that healthcare organization remains liable for any and all HIPPA violations. The buck can’t be passed to the hosting company (even if deserved).
That said IT providers are still subject to the full extent of the HIPAA law. The prudent strategy for healthcare organizations is to partner with a technology vendor that the healthcare provider can validate as fully engaged in HIPAA protocols. HIPAA hosting plans need to deploy technologies such as clustered firewalls and intrusion detection and prevention software (IDPS), which is capable of detecting threats to sensitive patient data that even the best firewall won’t catch.
A well-oiled IaaS machine — where servers and prefab packages effectively take the place of IT professionals — should deliver 100 percent uptime. Basic SLAs should provide, at minimum, “semi-managed services.” That is, the IaaS vendor should manage technology from the hosting environment up to the operating system including every jot and tiddle concerning patient privacy and data security. Healthcare providers can be as involved in the application install and management as they choose to be, or request concierge- level service.
With strict HIPAA compliance as a given, IaaS technology vendors are in a prime position to deliver peace of mind to healthcare providers as they cut through the fog that often envelopes the cloud.
Read in Health IT Outcomes