A quick guide for Healthcare Tech Vendors and Providers
Not all hosting vendors are created equal, despite what some will tell you. When it comes to HIPAA compliance, there are a few core credentials your hosting vendor should possess. When evaluating a HIPAA-compliant web hosting solution, we suggest healthcare providers and vendors that handle protected health information (PHI) check for the following credentials and compliance areas.
Data storage is generally classified in three categories: on-premise, in the cloud, and hybrid storage (a blend of the former two methods). Clients should focus on the security and recoverability of their data no matter what method is used for storage.
Data stored in the cloud can be handled in many ways, but among the most secure is dedicated cloud storage (Interoptex’s choice for data storage). With dedicated cloud storage, protected health information (PHI) is completely isolated from other cloud tenants. Virtual data centers can be accessed by providers through various gateways, each with its own firewall and safety configurations.
Providers should ask potential web hosting vendors about how their data is encrypted. Interoptex deploys encryption at rest and during transmission of data (and any HIPAA compliant web hosting vendor should do the same). Standard encryption protocols include IPsec, SFTP, SSH, and SSL.
Credentialing: Business Associate Agreement, FedRAMP & SSAE 16 Certification
Want to know if your web hosting vendor is really serious about HIPAA compliance protocols? Ask them to sign a business associate agreement (BAA), suggests Jeff Thomas of Forward Health Group. A BAA is a contract signed between a HIPAA-covered entity and a business associate (i.e. vendor). If your vendor doesn’t know what a BAA is, that’s a good indicator that they aren’t very familiar with HIPAA.
FedRAMP is a federal program geared towards standardizing cloud-based data security. The program will perform security assessments, authorize vendors, and provide continuous monitoring. FedRAMP authorization can help reassure a provider that a vendor is HIPAA-compliant, though it does not certify that they are.
SSAE 16 Certification indicates that a vendor has met a series of specific standards as laid out in the Clarified Statements on Standards for Attestation Engagements, published by the Association of International Certified Professional Accountants. SSAE 16 Certification is more “stringent, in some ways…regarding security” than HIPAA compliance, according to this article.
What Makes Web-Hosting HIPAA-compliant?
- “System availability and reliability;
- Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
- Manner in which data will be returned to the customer after service use termination;
- Security responsibility; and
- Use, retention and disclosure limitations.”
The guidelines provided by HHS help establish a framework that providers can use to understand the level of HIPAA knowledge a vendor has. But a provider may also need to consider asking vendors how they maintain HIPAA compliance, not just what they know about it. Regulations and technology change, and your vendor should be able to demonstrate that they continue their education on these topics. A vendor that’s willing to commit to third-party audits (such as SOC certification) is demonstrating an ongoing commitment to compliance.
Value vs. Cost
HIPAA-compliant web hosting is gaining traction, but is it affordable? Many agree that the answer is yes. Especially when a vendor considers the value included in this service. Providers can realize true value when they consider the costs of web hosting versus HIPAA-compliant security protocol management in-house.
On-premise data storage requires equipment, personnel and security protocol management. Tack on HIPAA compliance, which requires extensive knowledge, implementation, and time-intensive homegrown software solutions, and your costs to self-manage may be more than using a web hosting vendor.
Which HIPAA-compliant Web Hosting Solution Will You Choose?
At Interoptex, we provision for our clients through baked in HIPAA-compliant security protocols.
Contact Interoptex to see how we can help!