With the digitalization of healthcare records, maintaining high standards of data security is more crucial than ever. For healthcare providers – and any company dealing with protected health information (PHI) – the primary standard to meet is embodied by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Since the introduction of HIPAA, there have been two important updates to the act. The Health Information Technology for Economic and Clinical Health Act (HITECH), passed in 2010, updated HIPAA rules to include electronic medical records. The Omnibus Final Rule, introduced in early 2013, increased the scope and liability for involved parties. This rule widened the definition of “business associates” which must be HIPAA-compliant to include any entity that “creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.” Because healthcare providers are storing and archiving electronic PHI, this includes data centers and cloud providers.
What This Means for Data Centers and Cloud Providers
Data centers and cloud providers have typically been considered “business associates” by HIPAA standards for some time – and thus liable for being compliant with HIPAA requirements – but the Final Rule eliminated any doubt about this. The federal document addresses this directly, stating that “A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”
To be HIPAA compliant, data storage providers – whether internal or outsourced – must undergo an independent audit, ideally adhering to the OCR HIPAA Audit program to be compliant with the most current requirements. Compliance relies on extensive administrative, physical, technical and organizational safeguards that ensure electronic PHI is secure and protected. The data center and cloud provider companies that are compliant tend to have a top-to-bottom culture of security; not only are policies and governance standards designed to protect PHI, but there are ongoing HIPAA awareness programs and training for all employees.
Choosing a HIPAA Compliant Data Storage Provider
For healthcare organizations, choosing the best data center or cloud provider isn’t always an easy decision. Providers may claim to be “HIPAA certified” or “HIPAA ready,” but this does not mean they are necessarily compliant. Providers that can truthfully claim to be HIPAA compliant will be able to provide a copy of their HIPAA compliance report and should not have any issues with signing a business associate agreement. If a covered entity (CE) elects to use a storage provider that is not compliant, the CE will have to have the provider evaluated for compliance to prove due diligence.
To read more about the latest HIPAA compliance updates, visit the HHS website for details.
Until next time-