The healthcare industry has undergone some major changes over the last several years, most notably with the implementation of the Affordable Care Act and changes to the Health Insurance Portability and Accountability Act (HIPAA). Many of these changes have come with additional expenses, which are forcing companies to re-evaluate their costs – and often times cut their IT budget.
Is Cutting Corners with HIPAA Compliance Worth the Risk?
As a certified HIPAA cloud provider we highly, highly suggest that organizations do not cut corners when it comes to HIPAA compliance. Sure, there are plenty of companies out there touting a $300/month compliant hosting plan (significantly less than our offering), but before choosing any solution, you should always take note of which features are and, are NOT included. Often times the plan offered does not only fail to address the customer’s needs, but it also fails to cover even the bare minimum requirements enforced by the federal government! Penalties for recent data breaches have cost businesses up to $1M – and in some cases more – and if you ask us, that is not a risk worth taking for some short-term savings in your IT budget.
The Office of Civil Rights (OCR) has also been gearing up to increase its frequency of audits. Organizations getting audited will have to present documentation to show they have all necessary processes in place to ensure compliance. Saying that these procedures are being done is just not going to cut it.
Basic HIPAA Compliance Features
To keep your sensitive business data safe, we recommend asking any potential HIPAA cloud provider the below set of questions. If the answer is “no” to any of the following, beware… this provider may end up costing your business far more than you may save.
– Is the environment built on private cloud infrastructure?
– Does the solution include a dedicated firewall?
– Is there encryption support for data in-motion and at-rest?
– Are offsite encrypted backups included?
– Is there any log management tools like Tripwire which can provide a detailed proof of your compliance?
– Have your data centers been independently audited?
And of course, more general questions:
– How long have you been in business?
– How many HIPAA customers do you currently have?
– Are the data centers SSAE-16 certified?
– Is 24/7 unlimited support included?
These questions will help ensure you are getting a solution that is not just “good enough,” but truly compliant with federal HIPAA regulations. It all comes down to checking the “HIPAA compliance” box vs. being able to show that all security and compliance processes are in place to protect the data. Trying to get by when it comes to managing electronic medical records (EMR) can be one of the biggest mistakes an organization can make!
We’ll follow up with another post after the initial round of OCR audits later on this year and show some examples where “good enough” did not suffice. In the meantime, feel free to download our HIPAA Hosting vendor checklist or contact us with any questions.