Why does a HIPAA-compliant system cost more than a standard hosting environment does? The reason at a broad level is the need for extra technological “bells and whistles” – although they are by no means superficial. These additional features are necessary because of healthcare regulations, established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), that are focused centrally on maintaining digital security (Security Rule, outlining encryption and other legally mandated data safety means) and protecting patient privacy (Privacy Rule, protecting healthcare information of US citizens).
This is a guest post written by Adnan Raja, on behalf of Atlantic.
Let’s discuss why HIPAA costs more than a standard IT system; but first, we will briefly look at the difference between the Privacy Rule and Security Rules, so we know the foundational overarching concerns that are built into these types of healthcare IT (HIT) infrastructures.
Difference Between HIPAA Privacy Rule & Security Rule
OK, so let’s look at what are considered the two most critical aspects of HIPAA compliance when you are setting up IT systems: the Privacy Rule and Security Rule, both of which are outlined in Title II of the landmark healthcare law. (Note that other recent federal law is also critically important in understanding and properly managing HIT systems, such as the Breach Notification Rule.)
The Privacy Rule outlines the requirements for people or organizations to look at protected health information (PHI – documents and data, such as medical records, that are protected by HIPAA). Digital environments must be concerned with meeting its standards at a broad level. When we get more granular in terms of the specifications for a HIPAA IT system, we must look at the Security Rule. The parameters of the Security Rule are intended, per the federal legislation, to maintain the system so that ePHI (electronic PHI) is never compromised by unauthorized parties.
The Privacy Rule mandates that covered entities (healthcare providers such as hospitals; medical data clearinghouses; and healthcare plans such as insurers) implement a number of “physical,” “technical,” and “administrative safeguards.” It is possible that your organization has met the Privacy Rule without focusing as much on the Security Rule up to the present. If that is the case, you will still find that stipulations set forth within the latter have been met by your compliance with the former.
To meet the Privacy Rule, take care by protecting digital systems and adhering to other privacy best practices. To meet the Security Rule, take precautionary measures to make sure tools are in place that prevent intrusion or misuse of patient data. Below, we cover those precautionary steps.
7 Reasons HIPAA Compliant Hosting is More Expensive Than Typical Hosting
OK, so here are a few of the primary reasons that HIPAA requires a larger budget than a standard setup for your data system; these elements describe some of the key characteristics that you need so you can avoid pricey and reputation-harming violations.
- Private hosted environment – The system that you set up to protect your patient’s health records and other sensitive data should be set up and available only for the use of one covered entity (i.e., just your organization).
- Fully managed firewall – Having a managed firewall in place gets to the heart of the way that a HIPAA hosting service is actually a managed service. With a “fully managed” firewall, you will get firewall setup, administration, oversight, reporting, and support.
- Encrypted VPN – A virtual private network should be in place to encrypt data using standardized protocols such as secure sockets layer (SSL), internet protocol security (IPsec) or generic routing encapsulation (GRE).
- Encrypted backup – It is absolutely critical that no ePHI ever gets stolen of course (the encryption part), but it is also key that it not get lost. You want a backup, but you need it to be encrypted as well so that the data there is behind lock and key just like your main system is.
- Log management system – You need to have logging software in place to allow for the careful control of data viewing and manipulation. You certainly do not want to disregard possible intrusions (especially given the Breach Notification Rule), and log management is a straightforward way to watch access.
- Anti-malware – It is critical that any healthcare system that contains PHI has robust defenses against all forms of malicious code or other assault.
- SSAE 16 audit (optional) – To find a qualified HIPAA host, you can check its ability to meet the parameters of a key industry security and controlling standard, Statement on Standards for Attestation Engagements No. 16 (SSAE 16).
How to handle HIPAA on a small budget
In 2012, federal investigators determined that a cardiology practice in Phoenix, with just five physicians, had violated the HIPAA Privacy Rule. The healthcare firm was charged what some would call an excessive fine: $100,000. Before that point, it was easier for smaller healthcare providers to convince themselves that the regulations were designed for larger entities such as insurers and hospitals more than it was for them.
The thing that all practices should keep in mind is that having your name drawn for an audit is just one way that you could be cited with a violation; it is also possible that someone (perhaps a competitor or disgruntled former employee) will become aware of weakness within your system and report you.
Despite these concerns, given the various additional elements that you need to make your IT systems HIPAA-compliant, the cost may seem overwhelming to a small practice or physicians’ group. How can you successfully and consistently uphold proper data safeguards as cost-effectively as possible?
Here are three strategies:
Use common sense – Being compliant with HIPAA is not all about painstakingly working your way through legislation or comprehending sophisticated technologies. You need to provide training so your staff knows exactly how to be discreet with any patient communications – the specifics of what that involves. The Breach Notification Rule, letting your patients know if their data is exposed, is also straightforward.
Be aware of technical requirements – In the first round of the Health and Human Service Department’s HIPAA audits of healthcare providers, they found an incredible degree of failure within the sample they assessed. In looking at 59 organizations, the agency found that 58 did not meet the needs that are described in the law. In a way, that is unsurprising (since, after all, medicine has moved to a digital format faster than practices have been able to understand the risks of that context). Education on these requirements, though, is key to compliance and avoiding fines.
Get the help you need – Unfortunately, you are expected to meet HIPAA guidelines regardless whether IT security is your area of expertise. One good thing to know is that the law has been updated so that you, as a covered entity, are not the only type of organization that is responsible for meeting HIPAA guidelines: the HIPAA Omnibus Rule or Final Rule made your business associates responsible for meeting these parameters as well. That means that if you choose to work with a hosting service so that you can get your systems properly aligned with HIPAA, you are not just leveraging outside support and expertise but coordinating with a company that will be legally compelled to keep your data secure per the business associate agreement (BAA) that they sign into effect with you.
How much does HIPAA hosting cost?
Prices can vary substantially from one provider to another. However, now you should have a basic idea of why hosting that is compliant with healthcare regulations is generally costlier than a standard computing environment. If you’d like to take a look at one HIPAA-compliant hosting provider’s services, see Atlantic.Net’s HIPAA dedicated pricing and HIPAA cloud pricing.