So you did your homework and partnered with a hosting provider that is both HIPAA compliant and has a great reputation for security—you’re all set, right? Actually, maybe not. Let’s back up.
Business associates and their subcontractors are directly liable for HIPAA compliance. In order to be in compliance, you are required to immediately evaluate any businesses with whom you partner to create, store, and transmit the ePHI (electronic protected health information) of which you are the lawful custodian. Relying on someone else to have all the bases covered is not only dangerous, it’s potentially putting you at risk of noncompliance. If you’re even remotely uncertain on this topic, now is the time to educate yourself further about your role in HIPAA compliance—we’ll help by debunking a few of the common myths for you.
Myth 1: HIPAA Compliance is Too Complicated to Learn
Reality: There is a lot of information out there to make it easier for covered entities (CE) and business associates (BA) to understand HIPAA compliance, their roles, and how HIPAA regulations impact the way they do business.
The U.S. Department of Health & Human Services (HHS) has an entire section of their site dedicated to HIPAA for Professionals. HealthIT.gov has a Guide to Privacy and Security of Electronic Health Information, which is a good starting point for beginners.
LightEdge also has an extensive collection of Free Resources for HIPAA Compliance, including blogs, case studies, and news updates to help you understand, meet, and maintain HIPAA compliance, so check them out and use them as you need them.
Myth 2: HIPAA Compliance Doesn’t Affect My Business
Reality: If you’re reading this, it’s likely that compliance does affect your business. If you store, process, transmit, maintain, or touch ePHI in any way, you must be HIPAA compliant. It may seem like a sweeping generalization, but HIPAA compliance is required of any entity that handles this type of information because every point of contact is one that can be compromised to make ePHI vulnerable.
If you are a healthcare provider, a medical transcriptionist, a cloud-based applications provider, a storage and backup provider—or anyone else who handles, or has access to ePHI, you are not exempt and you may be subject to audits and fines if you don’t have your compliance bases covered.
Myth 3: We Only Have to do HIPAA Compliance Risk Assessment Once
Reality: Whether you are considered a covered entity (CE) or a business associate (BA), HIPAA requires that you update your compliance risk assessment whenever your system undergoes change, or in the event of a security breach – no matter how minor.
Audits for HIPAA compliance are already underway in 2016 and will be ramping up throughout the year and into 2017. There are approximately 180 areas for compliance listed on the OCR’s Phase 2 HIPAA Audit Protocol, which will be examined during this phase. The OCR’s case examples and recent large fines demonstrate that you must undertake compliance risk assessments on a regular basis.
Myth 4: My Data Center Partner and I Have a Business Associate Agreement, It’s Not My Responsibility
Reality: As we stated above, every entity covered by HIPAA is required to take measures to ensure HIPAA compliance. While HIPAA requires you have a signed Business Associate Agreement (BAA) with your providers, that doesn’t turn the responsibility entirely over to them. You have a partnership where both parties are now expected to ensure the privacy and security of ePHI.
If you are audited in Phase 2 during 2016 or 2017, during the desk audit, you and your BA will be required to show specific documentation and information to the auditors. This requires you to work with HIPAA compliant BA’s that are also performing Risk Assessments or risk onsite audits and possible fines.
Myth 5: All Cloud Storage Providers are HIPAA Compliant and Will Pass an Audit
There’s a world of difference between private cloud and public cloud storage solutions that can impact your HIPAA compliance. Some of them might even cause you to fail an audit. With a private cloud solution, your service provider has ownership and complete control of the data storage site. If a cloud storage provider uses a public cloud (like Amazon Web Services, Azure, Google, etc.) to provide your solution, they most likely don’t have access to the data center, nor is the security level the same as required by HIPAA.
For an auditor to assess and approve an IT environment, it requires physical access to the data storage site to evaluate the systems used to store and transmit ePHI. To ensure that your Cloud Storage Provider will pass an audit as your BA, you should check to ensure they follow the National Institute of Standards and Technology (NIST) guidelines for Cybersecurity Framework, as well as HIPAA compliance and have used the OCR’s “Crosswalk” map to ensure against gaps in security.
HIPAA Compliance Can’t Be Ignored
The days of flying under the radar are gone. Audits have started and the penalties for non-compliance and security breaches are steep. It’s time to make sure that you understand the needs, that you and your BA’s are compliant, and that you are partnering with the right Storage Solution Provider to ensure that your data is secure from loss or attack.
Additional Resources:
What to Look for in HIPAA Compliant Hosting
HIPAA Guidelines: Maintaining Security and Compliance in the Cloud