September 28, 2020 | By Greg Dougherty
The Health Insurance Portability and Accountability Act (HIPAA) is a federal mandate enacted in 1996 to protect the privacy of individual’s health information. Following suit in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into federal law to promote the adoption of the meaningful use of Health Information Technology (HIT) in the United States. The HITECH Act also laid the groundwork for widespread use of Electronic Health Records (EHRs). Further statutory requirements regarding patients’ privacy rights and protections were set in 2013 when the final HIPAA Omnibus Rule was passed to hold all custodians of Private Health Information (PHI) subject to the same security and privacy rules as covered entities under HIPAA. HIPAA Business Associates (BAs) such as Many Managed Service Providers (MSPs) are no exception; even ones that don’t handle patient files directly are subject to potential liability.
BAs are “any person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity”. A HIPAA-HITECH compliant healthcare company, enterprise, or BA must ensure that the electronically protected health information (ePHI) they develop, receive, store or transmit meets HIPAA-HITECH confidentiality, security, integrity, and availability criteria. Ensuring HIPAA-HITECH compliance can still be a fairly convoluted and complex initiative for many entities. With growing e-security concerns and the very real and ever-looming threat of healthcare data breaches, however, these regulatory mandates have made it to the top of today’s healthcare provider and enterprise agendas.
Covered entities under HIPAA are responsible for configuring their applications, platforms, websites, and portals in a HIPAA-compliant manner and for enforcing policies in their organizations to meet HIPAA compliance. This is why they must require their providers/vendors to sign Business Associate Agreements (BAAs) before storing any PHI to ensure they can protect the covered entities’ information in accordance with HIPAA guidelines. Any HIPAA BA that serves these covered entities can be audited by the Office for Civil Rights within the Department of Health and Human Services at any point in time. Furthermore, failing to sign a BAA doesn’t exempt an MSP from being held accountable for a data breach. It also doesn’t protect a provider from non-compliance penalization, which can come at a hefty price tag. Violations can range anywhere from $100 per violation all the way up to $1.5 million per year.
So, how can healthcare and enterprise customers know their data is safe in the hands of an MSP?
1. Ensure your provider has completed a HIPAA Matrix – While there is currently no standard HIPAA certification for MSPs, a provider can request that a HIPAA Matrix be completed during a Statement on Standards of Attestation Engagements No. 18 (SSAE 18) audit certification. These audits are performed annually – typically by an independent, third-party auditor – and attest that the MSP properly conforms to HIPAA data privacy and security regulations. Opti9 has completed a HIPAA Matrix in addition to achieving its SSAE 18 Controls at a Service Organization (SOC 2) Type 2 audit certification for both its data centers and service offerings.
Opti9’s data centers and Managed Hosting solutions, including Colocation, Dedicated Servers, Managed and Unmanaged Private Clouds, Managed and Unmanaged Public Clouds, Cloud Storage, and IP Transit are fully HIPAA-HITECH compliant. Our global network of facilities and extensive portfolio of services features a number of safeguards to ensure maximum data protection and safe transmission of covered entities’ ePHI.
2. Sign a BAA – BAAs are crucial to assuring healthcare or enterprise customers that their sensitive information is safe and secure. These contracts typically establish the BAs’ permitted/required PHI uses and disclosures in addition to identifying appropriate termination provisions. Samples of BAAs can be found here. Opti9 is one of the few Managed Hosting providers that sign HIPAA BAAs with customers, demonstrating our commitment to the proper storage and security of ePHI for the healthcare and enterprise markets.
3. Check for additional data security protocols –In addition to signing BAAs, your providers should go the extra mile to strengthen data security protocols across their services and infrastructure. This can be done in a number of ways; for example, Opti9 ensures that:
| – | Each customer is segmented into their own dedicated Virtual Local Area Networks (VLANs) for public Internet and internal communications, and that all data between shared storage platforms and customer infrastructure travels over that dedicated VLAN |
| – | Physical access to production servers and facilities is restricted |
| – | All managed services are firewalled by default for Secure Shell (SSH) and File Transfer Protocol (FTP) |
| – | Data uploaded to managed platforms is automatically scanned for viruses |
| – | Multiple types of Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Firewall and Web Application Firewall (WAF) services are available to be added to any customer configuration |
| – | Distributed Denial of Service (DDoS) mitigation services are available to detect and block malicious volumetric attacks |
| – | Customers are provided access to NetFlow portals to view details on all traffic to/from their infrastructure |
| – | Anti-virus software (ClamAV) and file auditing software (Tripwire) is available to be ran on managed platforms |
| – | Configurable administrative controls are available to customers to grant explicit authorization for FTP & SSH accounts, access audit logs for their customer portal, and maintain visibility into a reporting and audit trail of account activities on both users and content (via Tripwire) |
| – | Customers have access to a formally defined and tested breach notification policy |
| – | Employees are trained on security policies and controls |
| – | Employees’ access to customer data files is highly restricted |
| – | Customers are guaranteed a 99.9% uptime Service Level Agreement (SLA) for maximum availability. |
At Opti9, we help healthcare providers and enterprise businesses with HIPAA-HITECH compliance, so you can rest assured knowing your sensitive data is safe and secure. Our Managed Hosting solutions and data center facilities are certified to support HIPAA-HITECH compliance to improve efficiency, reduce risk and let you focus on your healthcare services and patient care.
To learn more about Opti9’s HIPAA-HITECH compliant Cloud and IT Infrastructure solutions, click here.