This article was originally published by ATI partner Mitel on Mitel’s Blog.
Whether you work in a multi-hospital healthcare system or a private dentist’s office, protecting personal health information (PHI) is essential. HIPAA’s rules and requirements are clear — no matter what, PHI must be kept completely confidential.
This has become increasingly important as more and more health care providers (or “covered entities,” in HIPAA language) use the cloud to store data and run software. Among other things, this means the vendors who provide those services must be certified HIPAA-compliant.
What does that mean for a cloud service provider? Or for a vendor offering business VoIP services? What if the data is encrypted so that cloud providers? Do they still need to be certified HIPAA-compliant? What is their responsibility when security breaches occur, or during natural disasters? What happens to the data when a healthcare provider terminates the vendor relationship?
Is your head spinning yet? Obviously, using a third-party to handle sensitive patient data requires a lot of careful thought.
HIPAA: The Basics
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers and their vendors to establish three types of controls when handling PHI (or “ePHI” for electronic patient data): administrative, physical and technical. Policies and procedures are examples of administrative controls. Protecting hardware is a physical control. Implementing data encryption is an administrative control.
Covered entities need technical vendors that offer multi-layer security frameworks with physical and technical safeguards enforced by stringent administrative policies. They should be certified HIPAA-compliant and offer a Business Associate Agreement (BAA). Thus, as a best practice, it’s a good idea to work with vendors who offer HIPAA-compliant solutions like MiCloud Connect, built on Google Cloud.
In fact, the law is quite clear when it comes to the responsibility of third-party vendors like cloud providers providing technical services to healthcare providers. The Guidance on HIPAA & Cloud Computing published on HHS.gov explains the obligations of Business Associates:
“When a covered entity engages the services of a CSP [cloud service provider] to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.
“As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is…directly liable for compliance with the applicable requirements of the HIPAA Rules.
“If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules.”
The bottom line: Any vendor you choose to handle your ePHI must provide a BAA that spells out in detail each party’s responsibilities. The agreement can specify how the data will be used, stored, protected and transmitted; what will happen in case of a security breach or natural disaster; disposition of data at termination of contract; and any other requirements or conditions the covered entity deems important.
In addition to the BAA, clients can include provisions in a Service Level Agreement (SLA) to address HIPAA concerns, such as backup and data recovery. Whether you’re concerned about a hack or a natural disaster, ask the vendor what plan it has in place to protect and recover your data.
Use the SLA to specify the vendor’s security responsibilities. HIPAA regulations require that both covered entities and business associates abide by the Security Rule. Even when clients control access to the data via encryption, vendors still must be HIPAA-compliant. Consider requiring vendors to demonstrate how they remain current with the latest encryption standards.
As part of the agreement, be sure to cover what happens when the relationship ends. How will the data be returned to the healthcare provider? Under the Privacy Rule, HIPAA regulations requires business associates to return or destroy all PHI at a contract’s termination.
When evaluating vendors, look for partners that are certified HIPAA-compliant. Confirm that they’ve engaged a third-party organization to verify their compliance using the most recent Office of Civil Rights (OCR) Audit Protocol. Since HIPAA rules can change over time, certification is not a one-time deal.
All covered entities are responsible for their HIPAA compliance and open to audit. Consequently, your vendor should conduct regular internal checks. Ask each prospective partner how often its audits their processes and procedures.
Also, find out if the vendor has an internal, dedicated information security team responsible that monitors and HIPAA protocols on an ongoing basis. And make sure the vendor’s employees receive ongoing training to keep up with changes in HIPAA rules.
Whether you’re a healthcare provider or a business associate, HIPAA requires you to conduct risk analyses of potential threats and vulnerabilities to ePHI.
A recent study by CynergisTek found that third-party vendors were responsible for 23 percent of 2018’s healthcare data breaches. One reason: Many providers lack processes to address – and predict – risks.
David Rauschendorfer, senior director of CynergisTek’s Security Services Operations, highlights this finding. “Vendors lack activities that identify threats as well as the potential business impacts of identified vulnerabilities,” he explains. “These high-risk vendors often lack established or formally documented methodologies to prioritize and address identified risks.”
Ask your vendor about its procedures for not just protecting ePHI, but also identifying potential threats and vulnerabilities. You always want to be proactive, not reactive.
If a security incident does occur, HIPAA is quite clear on the vendor’s responsibilities. The Security Rule requires business associates to “identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the business associate; and document security incidents and their outcomes.” The Breach Notification Rule spells out the content, timing and other requirements for business associates to follow when reporting incidents to the covered entity.
Ask each potential vendor what policies and procedures it has in place to address and document data breaches or an attack on its systems. In particular, how does it discover data breaches? How does it identify the problem’s source, and what remediation steps does it take to limit damage? Require specific timing for notification and resolution.
All Secure In One Place
When choosing your cloud vendor, consider how it will enable your organization to access and use essential patient information while remaining compliant with HIPAA regulations. Ultimately, you have to store information in a way that’s both secure and accessible so that medical professionals can share and collaborate while patients can manage their healthcare.