This week’s Friday Five is brought to you courtesy of Marty Puranik, founder, president, and CEO of Atlantic.Net (@atlanticnet). Atlantic.Net offers healthcare hosting solutions that are third-party-audited – allowing patients, healthcare practices, and other ePHI-handling (electronic protected health information-handling) organizations to know that their information is protected throughout their interaction with your site.
Beyond looking for credibility markers such as audits, it is critical for organizations to know how to stay compliant when they work with healthcare hosts, so common characteristics of these settings should be understood. The host should be compliant with federal healthcare law. It should meet the needs of the HIPAA Privacy and Security Rules. It should have key compliance technologies implemented. Finally, the hosting service should be offered in diverse forms, including cloud as well as dedicated hosting and virtual private server (VPS) hosting, and colocation, any of which may be integrated with on-site data centers.
It is compliant with federal law.
Healthcare hosting is the provision of infrastructure and infrastructure-related services that comply with federal regulations, especially the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information for Economic and Clinical Health Act of 2009 (HITECH).
A healthcare host should sign a business associate agreement (BAA) with you, and that contract should stipulate exactly how they are accountable for ePHI – both the exact data that is involved and the nature in which the information is being handled. One key responsibility of the host as a BA is that they need to notify you, per the Breach Notification Rule, if they experience a breach – in which case you must then contact additional parties (whether that’s you contacting a covered entity, or contacting the patients and HHS, and the media if that applies).
The Privacy Rule applies.
The Privacy Rule created national standards related to protecting health information, controlling how it is used and disclosed. The rule also created standards that describe how people can control and understand their health records.
At the center of the Privacy Rule is the desire to allow for sufficient movement of information in order to promote high-quality healthcare and safeguard the public interest while at the same time adequately protecting health information. In the context of hosting and other health IT, the Privacy Rule is largely considered in terms of the Security Rule.
The Security Rule applies.
For any systems that contain ePHI (personally identifiable information that is related to healthcare provision and handled in any way), you need to follow the HIPAA Security Rule just as you do the Privacy Rule. The Security Rule applies its individual rights to data protection, via the establishment of technical, administrative, and physical safeguards. These defenses must be established for all data, whether you are receiving it, transmitting it, or handling it in any other way.
It includes key compliance technologies.
HIPAA hosting should include managed firewalls. It should also offer an encrypted virtual private network (VPN). Secure sockets layer (SSL) certificates should be installed sitewide. Managed multifactor authentication (MFA) should be implemented. Offsite continuous data protection (CDP) backup should also be established. The host should also stay abreast of the threat landscape and protective innovations.
It comes in various forms, including cloud.
To address questions that had become common about the extent to which cloud computing could be implemented in a healthcare-compliant setting, the Department of Health and Human Services (HHS) released cloud computing guidelines. These guidelines state explicitly that, as long as they have signed a BAA with the provider, a “covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.).”
Other types of hosting can be HIPAA-compliant and HITECH-compliant as well, including dedicated hosting, virtual private server (VPS) hosting, and colocation, any of which may be integrated with on-site data centers.
***
When you are planning healthcare infrastructure and need to work through the spectrum of compliance concerns, call them with questions at 888-618-DATA (3282).
ICYMI – Our other Friday Fives and Blog posts from HCNR’s Nurse Lauren.
