It is becoming the norm for businesses to outsource all or a portion of their IT needs to third-party cloud service providers (CSPs) or hosting providers in order to increase agility and cut down on costs. As such, it should come as no surprise that this trend is becoming increasingly popular in the healthcare industry. However, doing so for healthcare organizations does not come without its challenges – the root of which lies in maintaining HIPAA compliance, from their own company to the ones they choose to partner with. With that comes a need to protect the privacy and security of electronic protected health information (ePHI) and, in order for IT teams do so, this means mitigating risk should continually be top-of-mind. Let’s explore some best practices to mitigate that risk.
Understanding Risk Associated with Third-Party Vendors
With the increasing popularity of and reliance on third-party cloud service providers and hosting providers, HIPAA has increasingly strengthened its stance on the efforts it deems necessary to maintain the confidentiality, availability, and integrity of ePHI. Today, it’s not enough that only those in the healthcare industry are HIPAA compliant. Any third-party vendor, referred to in HIPAA regulations as a Business Associate, who stores, transmits, or has access to healthcare data, must be compliant as well. This leaves those in healthcare two options if they’re considering storing their data and applications in the cloud—trusting a third party to store only the information that doesn’t require compliance, or searching for a CSP that is compliant. If you try to do the latter, here are some best practices to consider.
Managing and Mitigating Risk Associated with Storage
Included in the HIPAA Security Rule, are a whole host of Technical, Physical, and Administrative safeguards that must be accounted for in order to maintain compliance. These often fall outside of the solution provided and mainly deal with the functions that support it – the security of the facility that houses the infrastructure, the actions of the individuals responsible for maintaining it, and much, much more. For any healthcare organization that chooses to outsource their IT to a 3rd party provider, these are all important matters to investigate as it could impact compliance. Here’s a sampling of some to consider:
- Enforce access control by assigning a username and PIN number for each user and create guidelines for distribution of electronic protected health information (ePHI) in the event of an emergency.
- Record when access to ePHI has been attempted or completed and record what was done with the information once it was accessed.
- Implement workstation policies that provide the appropriate amount of privacy for workstations with access to ePHI, and to determine what work can be done on these workstations.
- Create and implement mobile device policies if ePHI is to be accessed on such a device.
- Create a risk assessment, recording all the instances in which ePHI is used and all the possible scenarios that could take place concerning a breach of ePHI.
- Regularly schedule a risk assessment that provides actions that can be applied to reduce risk.
- Draft an emergency plan that outlines how crucial business processes proceed while protecting ePHI.
- Draft an agreement that outlines who should have access to the data and have it signed by all parties involved.
Questions to Ask Business Associates
When working with business associates, it’s important to determine a third party’s compliance status before you form an agreement. The following are some best practice questions you can use:
- Do you have dedicated staffing for HIPAA? Regulations are intricate and require extensive training. If the prospective business associate doesn’t have dedicated staff specifically for HIPAA, that should raise a red flag.
- What encryption process do you use? HIPAA requires that healthcare entities meet National Institute of Standards and Technology (NIST) for encrypting data in transit. But contrary to this, encryption of data at rest is an addressable standard. Make sure any business providers with whom you work with has a clear procedure for encrypting data in transit, and will provide details as to whether encrypting data stored within SANs and on drives and backups is reasonable and appropriate to do. There’s much more involved regarding this subject, so be wary of red flags.
- What are your access control procedures? Cybersecurity is a pressing concern, but what about protecting the physical equipment that supports your solution? Look for business associates that have physical safeguards in place, like electronic IDs and biometric scans that can prevent unwanted access to the systems supporting your data and applications.
- What are your offsite backup plans? HIPAA requires the use of offsite backups as a disaster recovery measure. The offsite backup should follow similar access procedures.
- What ongoing training do you utilize? HIPAA is a federal law that’s constantly evolving with the pace of technology. Look for service providers that maintain compliance with other security frameworks, such as SOX, PCI DSS, or SSAE 16/AICPA.
- Do you have an internal auditing procedure? HIPAA scrutinizes the types of internal processes used to assess vulnerabilities. Consider asking the vendor for quarterly quality assurance checks.
HIPAA regulations are stringent, and entrusting a third party, whether an outsourced IT team, cloud services provider, or hosting provider with your data is a big step. But when you make it your business to understand HIPAA compliance requirements, especially as they relate to business associates, and know the steps to take to mitigate your risk, you’ll be in good shape. As always, if you need help, we’re here.
Additional Resources on This Topic: