In a previous article, “How to Comply with HIPAA,” we explained what the Health Insurance Portability and Accountability Act is—including the healthcare organizations and the types of information that it applies to, and what these healthcare organizations need to do to comply with it.
In today’s article, meanwhile, we’re going to talk about how signing up for hosted IT solutions (also known as cloud-based solutions) can make it easier for healthcare organizations to comply with HIPAA.
The main reason hosting solutions do this is because they comply with many of the requirements of HIPAA by default. Most hosted solutions come with or incorporate by default the following security and data loss prevention measures:
An authentication system that requires each person with access to the solution to select a unique username and password, and to log in in order to access the solution
A data backup system that regularly backs up all of the solution’s data
Physical security measures at the hosting company’s datacenters such as locating them in unlisted and nondescript buildings, locked doors, biometric access panels, mantraps, security guards, alarms, closed-circuit video surveillance cameras, server cages, and mandatory check-ins, IDs, and escorts for all visitors
Logging of all user login attempts and other significant actions
In addition, with most hosted solutions the solutions’ data remains on the hosting company’s servers at all times (though the solution may appear to be running on the user’s device, the hosting platform is actually just streaming the audio and video output of the solution to it), which means that healthcare organizations don’t really have to do anything to protect users’ devices (including installing antivirus software on them and keeping all of their software up-to-date) in order to comply with HIPAA.
Most hosting companies also implement measures to prevent their own employees from inappropriately accessing client data, including internal authentication systems and logging.
These measures satisfy, at least partially, the following HIPAA requirements:
Implement policies, procedures, and security measures to prevent unauthorized physical access to any IT hardware that contains or handles any patient information
Prevent patient information from being “improperly altered or destroyed”
Set up an auditing system that logs activity on systems that contain patient data
Many hosting providers also offer more advanced security measures with their hosted solutions; many also offer HIPAA compliance hosting services in which they customize a hosted solution so that it complies with HIPAA as much as possible. These additional measures include:
Automatically-enforced password strength requirements (including minimum length and the required use of symbols, numbers, and upper and lowercase letters), and requiring users to change their passwords after a certain number of days (usually 90)
Two-factor authentication (which requires users to log in with both a password and a one-time code that’s texted to their phone number after they’ve entered the correct password)
Around-the-clock monitoring of the hosted solution’s security by the hosting provider’s personnel, who will immediately address any security issues that they find
Network and system security measures such as firewalls, intrusion detection and prevention systems (IDS/IPS), network segmentation, spam filtering, content filtering, in-transit and at-rest encryption, patch management, and antivirus software
These security measures will satisfy, at least partially, the following additional HIPAA requirements:
Implement “reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure” of individually identifiable health information
Protect patient information from inappropriate access when it’s being transferred via a network
A healthcare organizations that outsources its entire IT to a hosting company therefore doesn’t have to implement very many security and data loss prevention measures itself in order to comply with HIPAA—in fact, if it outsources its entire IT to a hosting company and the hosting company customizes its hosted solutions to be HIPAA compliant, it may not have to implement any of these measures by itself at all.
In this case, the healthcare organization would only be responsible for satisfying the following HIPAA requirements by itself: performing an occasional risk analysis, designating one privacy official and one security official each, implementing and documenting privacy and security policies and procedures, training its employees to follow these policies and procedures, preserving a copy of these policies and procedures “until six years after the later of the date of their creation or last effective date,” signing contracts with “Business Associates,” and notifying patients, the media, and the Health & Human Services Department in the event of a security breach.
The healthcare organizations may be able to get assistance from its hosting company with some of these measures; it could also hire a HIPAA compliance consultant. In any case, these requirements aren’t as difficult to satisfy as the ones that require you to implement privacy, security, and data loss prevention measures. You can find risk analysis, security policy and procedures, and “Business Associate Contract” templates online, for example, and you may only have to make slight adjustments to them for them to be able to serve as your official documents. This is a lot easier than having to implement and constantly monitor, manage, and maintain measures such as authentication systems, data backup systems, password management systems, firewalls, antivirus software, and patch management software.
Also, even if you don’t outsource your entire IT to an IT hosting company or your hosting company doesn’t offer advanced security measures or HIPAA-compliant hosted solutions, avoiding having to implement just some of these privacy, security, and data loss prevention measures yourself still makes complying with HIPAA a lot easier, especially for smaller healthcare organizations that don’t have any fulltime IT employees.