The following is reproduced from a Daily TR1 article from 451 Research analysts Jim Grogan and Stefanie Beaubien on October 12 entitled, “HIPAA Compliance: What it Means for Colocation, Hosting, Cloud and More“.
Since compliance is such a relevant, important topic for many AIS clients, I felt it would be worthwhile to re-post the piece here for convenient consumption.
Emphasis in red added by me.
Brian Wood, VP of Marketing
“You don’t have to look far to find HIPAA-compliant service offerings today. One of the most recent announcements came from Verizon/Terremark, offering products to its colocation, managed hosting, public and private cloud customers which satisfy the The Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules for electronic protected health information security and privacy.
HIPAA Terms Defined
To better understand the HIPAA compliance issues, it is critical to understand some key terms, especially as they apply in the multi-tenant datacenter (MTDC) marketplace.
Protected Health Information (PHI) – This is the information related to an individual patient and his or her medical status, such as information contained within a medical record, and any associated identifying information which can link that medical status to a particular patient, including items such as social security numbers, home addresses, electronic addresses such as e-mail or associated billing information such as account numbers, license numbers or identifying photographs. Such PHI may exist in physical or electronic form, both of which are required to be kept secure, private and confidential.
Covered Entity (CE) – Covered entities are, in the broadest terms, any person or organization that collects, transmits or stores PHI information regulated by the HIPAA legislation; examples of CE would be insurance companies, hospitals, healthcare providers and community health information systems.
Business Associates (BA) – Such parties that provide services to CEs that require the disclosure of PHI controlled by that CE in order to fulfill their services are designated as BAs. This includes organizations that may process health claims, provide utilization review services, that may provide insurance claim reviews as examples. This would include IT outsourcing services being performed on behalf of the CEs. In some cases, an organization that is a CE for one group of patients may also be a business associate for a separate CE if it is providing these types of services to others who may be providing the direct care or insurance processing.
HIPAA defines compliance related to rules supporting the legislation, including a privacy rule, a security rule and elements related to the administrative safeguards. In most cases within the context of MTDC suppliers, their role will be as BAs to CEs. As such, they have an obligation to comply with all relevant HIPAA regulations in regard to the PHI which they may be entrusted with processing.
In its recent announcement for healthcare services, Verizon/Terremark, for example, committed to providing a BA agreement to each healthcare customer (CEs). Such BA agreements commit, as a vendor, that the BA will adhere to all HIPAA requirements, thus enabling the CE to enter into the MTDC sourcing agreement with a high degree of confidence.
HIPAA Compliance Audits
When initially promulgated, the HIPAA guidelines described what needed to be achieved, but not how it was to be achieved. HIPAA enforcement falls to the Office of Civil Rights (OCR), which has clarified how HIPAA compliance is to be measured through its publication of audit protocols. The protocols are the primary guideline used by auditors to determine HIPAA compliance, and are a work in progress. A pilot program has been completed to validate the initial protocols, and OCR has indicated its intent to complete more than 100 audits during 2012 to further validate the effectiveness and clarity of the protocols in practical use.
The protocols cover 165 specific points of regulatory compliance under HIPAA, including 88 related to the privacy and breach notification rules, and 77 related to the security rule. Within the HIPAA requirements, certain elements are required to be followed, and others are deemed ‘addressable.’ To pass any audit, all required elements must be satisfactorily achieved; those items that are addressable are not really optional, but rather the law requires that the CE or BA determine whether the elements stipulated are reasonably applicable to the PHI and processing they are performing.
If they determine that they reasonably apply, then they are held to be an obligation in order to be HIPAA compliant. If deemed unreasonable to the PHI and processing activity, then the CE (and BA, by association) must document why they are unreasonable. The HIPAA audit would then include the review of this documentation, and the auditor’s agreement with the facts offered would be needed before the protocol could be set aside.
The Audit Challenge
Each MTDC vendor offering healthcare-related services must determine how it will achieve HIPAA compliance. No blanket certification process exists today; in the case of any HIPAA failure, it is the audit process that determines whether compliance with the regulations was in place at the time of the failure. To validate their compliance, vendors have taken multiple paths.
Verizon/Terremark has been part of the industry consortium that developed the Health Information Trust Alliance Common Security Framework (HITRUST CSF). This framework was developed specifically for the healthcare industry, with the intent to identify not just the HIPAA privacy and security elements, but applicable elements of other security requirements, such as the Payment Card Industry Data Security Standard (PCI-DSS). It is recognized that for an organization, achieving compliance with multiple security regulations takes constant vigilance and significant expense. The HITRUST CSF offers one mechanism to consolidate this effort, and determine whether the practices and procedures in place within the organization reasonably position it to be compliant with the multiple regulations.
The difficulty with HITRUST CSF and HIPAA is that the US Department of Health and Human Services has not officially embraced HITRUST as an alternative to its audit process. It is mentioned in passing as a tool that could be used in preparation, but only the OCR audit protocols are the approved measure of compliance today.
In conversation with other vendors offering HIPAA-compliant MTDC services, they say they have taken the direct route. Jana Merfen, director of financial reporting and audit at Quality Technology Services (QTS) says QTS has taken the approach of mapping each HIPAA requirement to its security policies and procedures, and then following SSAE 16 SOC 2 procedures to audit that each element is achieved. The resulting SOC 2 audit report can then be made available to any of the firm’s customers as attestation of its HIPAA compliance.
April Sage, director of the healthcare vertical at Online Tech, leverages a third-party auditor to review the firm’s policies and procedures directly matched against the OCR protocols. Sage points out that Online Tech chose this approach because HITRUST CSF, while helpful in that it is extremely prescriptive in regard to what to do, stands without formal acknowledgment by OCR. Online Tech further points out that the differences in HITRUST CSF ratings, offering ranges from -1 to 5, can create confusion when attempting to correlate those findings with the binary, pass-fail approach found in the protocols.
Achieving HIPAA compliance is not an option – it is the law, and is a requirement for each covered entity and its business associates. For many years, HIPAA compliance was given less attention than was needed by some that fell under the regulation, but all that changed in 2009 with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which substantially increased penalties for failure to comply.
For CEs looking to MTDC vendors for colocation, hosting and cloud services, it is essential that they understand how the vendor approaches its HIPAA compliance achievement. One cannot outsource compliance; the CE remains responsible for how it will meet the regulations, and its decisions to choose business associates that will similarly satisfy requirements is part of how compliance will be measured.
Healthcare is a growth vertical in the MTDC marketplace; for care providers, relying on partners to handle IT tasks allows them to focus on quality of care issues, which really ought to be their primary concern. Coupled with the ongoing federal mandates to implement electronic medical records across care delivery organizations and providers over the next few years, care delivery organizations will increasingly rely on partners for IT services. Look for more HIPAA announcements in the days and weeks ahead, as vendors align their services with the regulatory landscape and growth opportunities.”