Top Factors When Choosing a HIPAA Compliant Web Hosting. For many businesses finding the best web hosting service can be a time-consuming process. Considerations such as location of the servers, uptime guarantees and technical support services all come into play as you are evaluating potential vendors.
How to Select HIPAA Compliant Web Hosting
If you are a health care provider, selecting the right web hosting service is infinitely more complex due to laws and regulations that govern the handling of patient health care information. Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act, covered entities (CEs) must assure the privacy and security of Protected Health Information (PHI) or face significant fines and penalties.
Covered Entities (CEs) and Business Associates (BAs)
HIPAA Privacy rules apply to covered entities such as health plans, health care data clearinghouses and some health care providers. Health care providers who must comply include doctors, clinics, pharmacies, dentists, chiropractors, nursing homes and psychologists who transmit information in an electronic form covered by a Health and Human Services (HHS) standard.
Often health care plans or providers outsource some of the functions associated with handling patient information. In this case each of the “business associates” (BAs) who provides a third party service also has an obligation to assure that data is not disclosed, is secure at all times and will not be misused.
Covered Entities must sign Business Associate Agreements with BAs that are involved in handling their patient health care information. If no agreement in in place it implies negligence and higher fines may be levied.
Evaluating a HIPAA Compliant Hosting Vendor
To assure that your hosting solution provider is fully HIPAA compliant they need to have a 100% rating against the most recent Office of Civil Rights (OCR) HIPAA Audit Protocol. This rating is determined by an independent auditor.
The hosting provider’s specific IT services should be closely examined. Detailed answers should be provided regarding firewalls, data encryption, secure remote access, and authentication standards. The vendor should provide separate production and test servers.
Additionally, your HIPAA compliant hosting vendor should identify the specific administrative and physical controls that safeguard protected health information.
Employee training and operational procedures for the hosting vendor are also critical. Detailed records of employee training must be maintained. The CE must assure that the provider has documented policies and procedures, especially as they relate to potential data breach.
In the unfortunate event that data is compromised BAs must notify CEs in a timely manner and the CE then has 10 days to notify individuals who were affected by the breach.
Financial Penalties for Data Privacy or Security Breaches
Penalties under the HIPAA Privacy and Security rules can be substantial. A Health Care organization in Minnesota paid $1,550,000 to settle charges based on their failure to enter into a Business Associate Agreement and failure to undertake an organization-wide risk assessment.
HIPAA and the HITECH Act help assure that everyone’s private health care data is safe. Health care providers and organizations must invest the resources necessary to conduct an in-depth evaluation process when selecting the right HIPAA compliant web hosting vendor. 🙂