Five Questions to Ask Your HIPAA Hosting Provider
With the litany of HIPAA breaches caused by business associates/IT vendors in the news lately, covered entities need to be more proactive when it comes to vetting their HIPAA hosting provider.
Protecting confidential patient health information and preventing a HIPAA violation should be the top IT goal of all healthcare organizations, individual providers and software vendors.
But hosting your critical data and applications with a provider requires trust and confidence in their ability to meet HIPAA compliance requirements. What questions should you, as covered entity, ask your HIPAA hosting provider?
- Have you been independently audited against the OCR HIPAA Audit Protocol? To verify your data center operator and hosting solutions are truly HIPAA compliant, they need to be 100% compliant against the latest OCR HIPAA Audit Protocol, as determined by an independent auditor. Although covered entities need to assess their own policies and procedures to become HIPAA compliant, partnering with a HIPAA compliant IT vendor will greatly improve your chances of passing a HIPAA audit.
- What particular IT services meet HIPAA compliant security standards for protecting PHI? Your HIPAA hosting provider should be able to answer this question with specific answers that detail recommended IT services – a private firewall, either virtual or dedicated, with VPN for remote access; data encryption following NIST standards; separate database and web servers for production, etc.
- Do you have documented policies and procedures? Make sure you know your hosting provider’s policies when it comes to a data breach – they are required by law as a BA (Business Associate) to notify covered entities in a timely manner, and covered entities are required to notify affected individuals within 10 days. Not following these deadlines and procedures can result in costly lawsuits.
- Are your employees trained? The recent military healthcare contractor HIPAA violation was attributed to an employee transporting PHI off of government property and leaving backup tapes unattended in the trunk of a car. The recent lawsuit states that their employees were either not properly trained or completely untrained in HIPAA compliant security procedures. HIPAA requires all employees to be trained in the proper security practices, including policies, physical security, logical security, risk response and reporting, passwords/workstation use, data protection and more.
- Do you have a thorough BAA (Business Associates Agreement) with documented and communicated policies? Under HIPAA’s standards for penalties, the lack of a BAA implies negligence, which may fall under Willful Neglect – fines ranging from $10,000 to $50,000 for each incident and potential criminal charges. A BAA can also be valuable to define how the data is handled after service termination; a sample BAA from HHS.gov includes a provision requiring the BA to return or destroy all PHI received from the covered entity, emphasizing that the BA shouldn’t keep any copies of the PHI. If you don’t sign a well-thought out BAA with your hosting provider, they can potentially keep your data on file long after you leave them.