Category: HIPAA Compliance Hosting

HIPAA IT Compliance: A Quick Guide

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law from 1996 that requires most healthcare organizations to ensure the privacy and security of most of their patients’ information.

The three different types of healthcare organizations that HIPAA applies to are: healthcare providers (including hospitals and physicians offices), health  plans (including health insurance companies), and health care clearinghouses (including billing services).

It also applies to any person or organization that these three types of healthcare organizations share their patients’ data with—so-called “Business Associates”—including IT hosting companies like IronOrbit.

The law requires these organizations to ensure the privacy and security of any “individually identifiable health information,” which the Department of Health and Human Services (HHS) defines as “information that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”

HIPAA requires healthcare organizations to protect this data by doing the following:

  • Implementing “reasonable and appropriate administrative, technical, and physical safeguards to prevent the intentional or unintentional use of disclosure” of this data
  • Implementing “technical policies and procedures that allow only authorized persons to access electronic” individually identifiable health information
  • Implementing measures to prevent unauthorized physical access to any IT hardware that contains or handles any individually identifiable health information
  • Keeping this data from being “improperly altered or destroyed”
  • Protecting this data from being inappropriately accessed when it’s being transferred via a network
  • Setting up an auditing system that logs activity on systems that contain this data

In addition to ensuring the privacy and security of patients’ information, HIPAA also requires healthcare organizations to do the following:

  • Perform risk analyses on a regular basis in which they consider all potential risks to patient data and implement or change their security policies, procedures, and measures to protect their data from these risks
  • Designate a privacy and security official that’s formally in charge of “developing and implementing” the organizations’ privacy and security policies and procedures
  • Develop, implement, and maintain privacy and security policies and procedures, and maintain records of these privacy and security policies and procedures for at least six years “after the later of the date of their creation or last effective date”
  • Train their employees to follow these privacy and security policies and procedures
  • Sign “Business Associate Contracts” with anyone outside of their own organization they allow to access their patients’ information
  • Notify affected patients, the HHS, and “prominent” media outlets within 60 days whenever a security breach occurs

Penalties for noncompliance with HIPAA can reach up to $1.5 million per calendar year per violated HIPAA requirement.

Organizations will not be punished if their violations that are not the result of “willful neglect” and they correct them within 30 days of becoming aware of them.

Employees of healthcare organizations may face criminal charges, and up to 10 years’ imprisonment and fines of up to $250,000, if they knowingly make patients’ information available to people that aren’t authorized to access them.

HIPAA Compliance Hosting: Features and Benefits

Compliance hosting is when an IT hosting company customizes a hosted solution so that it complies with a certain regulation, such as PCI DSS or SOX.

HIPAA compliance hosting, of course, is a hosted solution that has been customized to comply with the IT requirements of the Health Insurance Portability and Accountability Act.

Hosted solutions that can be made HIPAA compliant include hosted virtual desktops, hosted virtual and dedicated servers, hosted Terminal Services/Remote Desktop Services servers, and standalone hosted applications such as hosted EMR/EHR software and hosted SharePoint.

HIPAA, if you’re not familiar with it, is a federal law that requires most healthcare organizations (including healthcare providers such as hospitals and physicians’ offices, health insurance companies, and health care clearinghouses) to ensure the privacy and security of patients’ information.

Organizations can be penalized up to $1.5 million per year for every HIPAA requirement that they violate. The Department of Health and Human Services (HHS) also publicizes violations and the resulting penalties on its website.

HIPAA Security and Data Loss Prevention Measures

A HIPAA-compliant hosted solution usually includes some or all of the following security and data loss prevention measures:

  • An authentication system that requires each person with access to the solution to select a unique username and password, and to have to log in in order to access the solution
  • Two-factor authentication (which requires users to log in with both a password and a temporary code that’s texted to their phone number after they’ve entered the correct password)
  • Automatically-enforced password strength requirements (including minimum length and the required use of symbols, numbers, and upper and lowercase letters), and requiring users to change their passwords after a certain number of days (usually 90)
  • Network and system security measures such as firewalls, intrusion detection, and prevention systems (IDS/IPS), network segmentation, spam filtering, content filtering, in-transit, and at-rest encryption, patch management, and antivirus software
  • Physical security measures at the hosting company’s data centers such as unlisted and nondescript buildings, locked metal doors, biometric access panels (finger and palm print readers and eye scanners), security guards, alarms, closed-circuit video surveillance cameras, server cages, and mandatory check-ins, IDs, and escorts for all visitors
  • Around-the-clock monitoring of the hosted solution’s security by the hosting provider’s personnel, who’ll immediately respond to any security issues that they find
  • A data backup system that automatically backs up all of the solution’s data on a regular basis
  • Logging of all user login attempts and other significant actions

In addition to making your hosted solution compliant with HIPAA, other benefits of HIPAA compliance hosting include:

Less IT management hassles

With HIPAA compliance hosting, most hosting companies will set up, manage, and maintain the hosted solution for you. They’ll purchase and set up the hosting hardware and software, deploy the solution, and implement and maintain all of the necessary security and data loss prevention measures. That includes authentication systems, network and system security measures, around-the-clock monitoring, and automated data backups.

Lower costs

It’s often more affordable for healthcare organizations to sign up for HIPAA compliance hosting than it is for them to deploy the solution in-house in a compliant way.

This is mainly because with HIPAA compliance hosting you’re sharing the hosting company’s security and data loss prevention measures.

These checks include enterprise-level authentication systems, data backup systems, 24x7x365 system, and network monitoring and alarm response, etc. with the hosting company’s other customers.

So, you only have to pay a small percentage of the total costs of these measures—while if you implemented a HIPAA-compliant solution in-house you’d be responsible for 100 percent of the costs.

Increased security

The security measures included with a HIPAA-compliant hosted solution not only make the solution compliant with HIPAA, they also protect your organization from costly and disruptive security breaches.

Increased accessibility

Hosted solutions such as hosted desktops and hosted applications can be accessed from anywhere from any Internet-connected computer, tablet, or smartphone.

Among other things, this allows healthcare workers to access their applications and files outside of the workplace. This means allowing doctors to complete some of their work from the comfort of home, for example. Or to access patients’ records and give a diagnosis or treatment advice if the doctors are unable to make it to the hospital or office.

This allows doctors to access their applications and files from a tablet that they carry with them rather than having to log in to a new PC in each different examination room. It also enables healthcare organizations to outsource some of their work to remote employees to improve quality or reduce costs.

For example, outsourcing the analysis of medical imaging tests to a doctor in another area because there aren’t any qualified specialists in the area or because the ones that are in the area are too expensive.

Increased scalability

 

Hosted solutions are scalable, which means that you can add (or subtract) any amount of users and resources such as vCPUs, RAM, and storage space to them (or from them) quickly and easily.

This makes it quicker and easier for healthcare organizations to supply new hires with IT resources they need to do their do their jobs.

It also makes it easier for healthcare organizations to add IT resources as they expand. As well as to reduce them when downsizing without getting stuck with a bunch of unused, expensive hardware.

To sign up for HIPAA compliance hosting, simply contact an IT hosting company that offers it and that’s capable of meeting all of your IT requirements and preferences.