Introduction to HIPAA Compliant HostingHosting a website or service adhering to the HIPAA guidelines requires HIPAA compliant hosting. The HIPAA recognizes all health care providers and their business associates as covered entities (CEs) and makes them responsible to safeguard the privacy and security of identifying information. Some CEs, particularly smaller sized CEs, don’t have the resources necessary to implement a system to handle and safeguard health data on their own, so they rely upon the services of HIPAA hosting. These HIPAA compliant hosting providers are self-proclaimed service providers that advertise to provide solutions to manage and maintain healthcare data under the rules and regulations established by the HIPAA. However, there are no governing rules or bodies to determine whether a particular hosting provider is actually able to maintain a system that meets the requirements for compliance. CEs have to look beyond the advertised capabilities of hosting providers to determine their fit for the job.
In the same manner that the government does not specify requirements for hosting providers, it does not recognize any entity as a certification authority for HIPAA compliance. Training and certification programs are recognized and used by CEs in the industry. These programs may be used by CEs in identifying valid candidates in the assessment of potential HIPAA Compliant Hosting providers. However, each CE has sole responsibility for compliance. The Department of Health and Human Services (HHS) established the HIPAA and relies upon individual CEs to establish their own methods of meeting the requirements. The HHS will not accept the argument that a chosen HIPAA compliant web hosting provider failed to secure data as expected as an excuse for not meeting the requirements for compliance.
The HHS also implemented a system to audit select CEs to assess their ability to meet the requirements of the HIPAA Privacy Rule, HIPAA Security Rule (more on this rule below) and HIPAA Breach Notification Rule. In fact, the HITECH Act, which expands upon the privacy and security protections of the HIPAA, provides for certain CEs to be compensated for demonstrating meaningful use of their electronic health records. Among other things, these audits help in establishing best practices that may be used in assessing the practices used by hosting providers.
The HITECH Act was imposed to account for the transition to electronic records and the security vulnerabilities associated with handling digital data. The HIPAA guidelines make all persons who handle electronic Protected Health Information (ePHI) responsible for the integrity, confidentiality and availability of that data. The HIPAA HITECH Act defines rules for the sharing of electronic medical records (EMR) and imposes stiff penalties upon those entities that fail to show that they have a system in place to impart such responsibility.
The federal Department of Health and Human Services (HHS) is responsible to develop and enforce the rules and regulations established by HIPAA and HITECH. The HHS will audit, fine and charge entities who are found to have violated the established rules and regulations. The rules and regulations do not specify how an entity should implement methods of security and protection for electronic data. Instead, the HHS allows entities to implement their own chosen methods and then subjects them to audits to show that they have met HIPAA requirements. However, there are best practices used in the industry that the HHS would expect entities to make use of, or show that they are able to implement a comparable or better system. Otherwise, an entity may be considered negligent.
HIPAA Covered Entity
Rules and regulations apply to healthcare providers, also known as HIPAA covered entities, as well as any of their business associates that have access to or handle EMR. Covered entities and their business associates have the responsibility of not only protecting data per the rules and regulations, but they also have a responsibility to report any violations or instances of misuse either within their own business processes or within the processes of other business entities. A HIPAA compliant covered entity does not imply its business associates are also compliant or vice versa. Individual audits are used to assess compliance for covered entities and their business associates
A HIPAA covered entity is a healthcare provider who generally works directly with patients, such as a hospital. A business associate is an entity who provides services to or for the covered entity, such as with a medical billing company or HIPAA compliant web hosting Providers. A HIPAA covered entity has a responsibility to establish a contractual relationship with its business associates. This contract is known as a Business Associates Agreement. The agreement gives the business associate authority to access the covered entity’s sensitive data and binds the business associate to HIPAA standards for the protection and security of that sensitive data. While some hosting providers claim to provide their services without having to access a covered entity’s data, the HHS insists upon compliance due to the potential to access that data. Confusion surrounds the concepts of becoming HIPAA compliant and becoming HIPAA certified.
Compliance applies to all covered entities involved in the collection, processing or dissemination of Protected Health Information (PHI). This is inclusive of healthcare providers and any of their business associates whether through contract or subcontracts. HIPAA requires that certain administrative, physical and technical safeguards be put into to place to protect healthcare data. Whether healthcare providers implement their own systems of protecting healthcare data or whether they choose to outsource their IT infrastructure to a HIPAA compliant hosting provider is a matter of choice. There are no established HIPAA hosting requirements. If reliance upon a hosting provider fails to keep a covered entity from falling within compliance, penalties will be assessed against the covered entity, not necessarily the hosting provider. Healthcare providers must have some checks and balances in place to ensure that a chosen hosting provider is able to provide the type of service advertised HIPAA hosting requirements. If reliance upon a hosting provider fails to keep a covered entity from falling within compliance, penalties will be assessed against the covered entity, not necessarily the hosting provider. Healthcare providers must have some checks and balances in place to ensure that a chosen hosting provider is able to provide the type of service advertised
The HIPAA is a federally mandated act and it is applicable nationwide for all healthcare providers and their business associates. The Department of Health and Human Services (HHS) is the federal agency responsible for the oversight of HIPAA and ensuring that heath care providers follow the rules established for accessing, storing and transmitting or otherwise making use of Protected Health Information (PHI). The HHS does not recognize any institution or program as a certifying authority. However, the law insists that all healthcare providers become compliant, and that requires that they train their staff in how to become HIPAA compliant. Healthcare providers, not the federal government, endorse training known as HIPAA Certification courses or HIPAA Compliance courses. These courses are provided by many educational institutions and private organizations, and upon successful completion of such courses, students are provided a course certificate.
The willful neglect of HIPAA compliance requirements can result in fines that range from $10,000 to $50,000 per violation up to a maximum of $1,500,000 per year. A violation is assessed per record of data that has been compromised. In addition to fines and penalties, violators may be charged criminally and risk going to jail. When neglect is not willful, but knowingly, it is considered reasonable cause. Reasonable cause includes the compromise of 500 or more records of medical data. Penalties for reasonable cause can range from $100 to $50,000 per incident, but it cannot result in criminal charges or jail time.
The HHS implemented a pilot audit program to assess the issues of compliance for 113 covered entities of various types and sizes. The program specifically assessed compliance with the HIPAA Privacy Rule, the HIPAA Security Rule and HIPAA Breach Notification Rule. The audit program provided this select group of covered entities with an opportunity to demonstrate their systems of compliance. The information and data obtained from the pilot audit program was used to understand efforts and assess problems with efforts to become compliant. It was also used to define best practices for falling with compliance.
HIPAA Compliance Checklist
The following HIPAA compliance checklist will assist healthcare providers in ensuring that HIPAA compliant hosting providers incorporate systems, procedures and technologies that will be considered in HHS audits.
- Documented data management, security and training plans
- Policies in place to address physical security, such as access control to physical facilities, computer platforms, electronic media and Protected Health Information (PHI)
- A system of developing unique user IDs and passwords and procedures for login, logout, decryption and emergencies
- Established and documented policies for the storage, transfer, disposal and reuse of data.
- Logs and audits of software and hardware use and access
- Policies in place to address data transmission over the Internet through e-mail, private networks and private clouds
- Quality control of errors and failures, such as with altered, destroyed, recovered and backed-up data
- Dynamic access and availability of data
- Tip: Use our downloadable checklist
- Private firewall services with virtual private networks
- Production servers separate from database servers and web servers
- Offsite backup or IT disaster recovery methods
- SSL certificates and HTTPS for all web-based access to Protected Health Information (PHI)
- Private IP addresses
- Antivirus solutions
- Operating system patch management
HIPAA Security Rule for Hosting
Under the HIPAA, the health information of individuals is protected under the HIPAA Privacy Rule and standards for the sharing and transmission of that information are as established by the HIPAA Security Rule. While the language of the Privacy Rule includes Protected Health Information (PHI), the Security Rule is more specific in defining standards for Electronic Protected Health Information (ePHI). The need to address standards for ePHI is a direct result of changing and evolving methods of communicating electronic information. As healthcare providers transition from paper files to electronic methods of storing, sharing and transmitting data, standards for data transfers across electronic mediums need to be addressed more specifically to account for mobile communications, cloud storage, device synchronizations, electronic signatures and other technological advances in the sharing of data that differs from what was required for paper files. The same standards for the privacy and confidentiality of healthcare data apply to PHI and ePHI, but the processes used to keep data private are much more complex and technical for electronic data files and ePHI than they are for paper files.
The HIPAA Security Rule for hosting healthcare data provides standards to safeguard against the compromise of identifying health data. In particular, the HIPAA specifies standards for administrative, physical and technological safeguards that must be implemented. The HIPAA Security Rule requires that certain organizational structures be put into place, and it specifies the need to document those business processes that are adapted for HIPAA compliance. Administrative safeguards include policies, procedures and actions implemented in order to reach the level of security required by HIPAA. Physical safeguards include processes implemented to protect the physical space where information is stored and the computer systems where data is processed. Technological safeguards include methods of protecting, storing, disseminating and sharing electronic information across multiple platforms, servers and devices.
HIPAA Compliant Hosting Providers
Finding good HIPAA compliant web hosting Providers isn’t an easy task. As you can see in the HIPAA Compliance Checklist, providers must deal with a lot of requirement to be able to call their solution HIPAA compliant. As you can imagine, real HIPAA compliant hosting doesn’t come cheap. But, if you want to want to comply with the HIPAA HITECH Act you simply have no choice.
There are tons of providers who call themselves HIPAA compliant, but few of them actually are. And remember, you are responsible for being fully HIPAA compliant, not your provider. But, the most reliable providers will be able to meet all the HIPAA requirements and work with you in becoming ánd staying compliant. I also want to point out an important section from the “HIPAA Cloud Storage Explained” article as it’s also applicable for HIPAA compliant hosting:
To help you in your search, I made a list of some of providers who are specialized in HIPAA compliant web hosting.
We are constantly adding new articles on HIPAA compliant hosting and related services on our blog. Our current posts on HIPAA hosting are:
Disclaimer: HIPAAHQ.com only recommends on providers, but can’t be held responsible for any choice you make. You are fully responsible for selecting a HIPAA compliant hosting provider and in becoming HIPAA compliant.