Outsourcing HIPAA: How to remain compliant in the cloud

Let's be honest: many organizations treat HIPAA as a set of suggestions. Lip service to HIPAA is everywhere, but actual compliance is surprisingly lax for such a high-profile regulation.

Why can companies treat something so important so cavalierly? Because they don't think they will get caught. For years, it was "more or less widely known within the healthcare industry... that HIPAA has not been rigorously enforced." This was particularly true in regards to technology. The rules were fuzzy, so organizations kept their data in house, made sure their patients signed on the line, crossed their fingers and called it a day.

The HITECH Act changed that. Passed in 2009, the HITECH Act opened the door for third parties to operate HIPAA structures for another organization. Technology providers, for instance, can now host information on their external platforms. When they do so, however, the third party becomes liable for operating under HIPAA's regulations.

Cue IT rejoicing. Internal IT teams now have options for storing and managing data, especially electronic patient health information (ePHI), and the liability burden gets passed to someone else. IT is under tremendous pressure to reduce costs, and the cloud is a powerful way to do that. The HITECH Act makes a cloud strategy a real possibility.

This shifting landscape, of course, has not gone unnoticed by cloud providers. As soon as healthcare orgs began looking for HIPAA-compliant options, vendors started selling them. The pitch typically goes something like, "Just trust us! We've got you covered!" Larger companies with dedicated compliance teams in-house can run these claims against their documented requirements. Smaller organizations, however, may not even know what those requirements are, which makes it tough to evaluate a vendor's veracity.

Small and mid-market healthcare orgs are therefore in a tough place. Outsourcing HIPAA-dependent data makes business sense, but risking non-compliance on a cloud provider's word does not. The cloud lowers costs and adds efficiencies, but feels inherently insecure in such a highly regulated environment. And while HITECH opened up the exchange of healthcare information, it increased the possibility of enforcement as well – so the "cross your fingers" strategy no longer cuts it.

There are, however, steps businesses can take to both benefit from the cloud and ensure compliance internally and externally. The first, while obvious, can't be stressed enough: Learn the HIPAA requirements. If you do not have a dedicated compliance officer or team, assign someone to become a subject matter expert. HIPAA compliance often comes down to "you don't know what you don't know." It's incredibly difficult to remain compliant when you're not sure exactly what that entails.

If you plan to outsource to a cloud provider, do your due diligence. Many vendors claim to streamline HIPAA compliance, but don't specify exactly how they do so. Explore the platform to assess controls and reporting; you need both. The controls should ensure that you are in fact complying with the various aspects of the HIPAA structure, while the reporting generates the logs necessary to prove that you're HIPAA compliant in the event of an audit.

Finally, look for third party validation. HIPAA does not provide certifications, so anyone can say that they facilitate HIPAA compliance. Some vendors, however, undergo third party audits to assess which controls are in place and how they support the designated regulations. Ask for the results of those assessments, and compare them against each other when selecting a cloud provider.

Outsourcing HIPAA data management can be a boon to the business and IT. Healthcare organizations, including the little guys, shouldn't be scared of the cloud – but they should be sure to do their HIPAA homework.

About author Frank Krieger:
With a career in IT spanning 18 years and over 12 years of ITIL and compliance background, Frank Krieger manages the iland compliance office in the company's Houston headquarters. Frank received his degree in Computer Information Systems from Northern Michigan University and has an extensive background in enterprise ITIL, audit controls and compliance including managing service organizations for Fortune 10 companies. Frank has held ITIL Practitioner status and is currently a certificated ITIL Expert. These achievements represent not only an in-depth understanding of process and service management, but also extensive compliance knowledge. When not busy pouring over frameworks and audit requirements, he spends time traveling with his wife, Jacque and polluting the internet with corgi photos.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months