One thing is for certain, Peak 10 can help your business know how to become HIPAA compliant.
The claim to being HIPAA compliant is de rigueur for any business entity in search of healthcare industry customers. But don’t go looking for a regulatory compliance certificate hanging on someone’s office wall or a “HIPAA-certified” logo on a vendor’s webpage. Official certification doesn’t exist.
What do exist, however, are the HIPAA Privacy Rule and the Security Rule. Together, these two rules clearly define the policies and procedures for handling protected health information (PHI), whether that information is in an email, on a laptop, in a file folder or on a cell phone. If a reported data breach occurs and the provider and/or its business associates are found wanting in following rules and best practices, the legal and financial consequences can be punishing.
So why are we seeing more and more claims to HIPAA compliance? Two things: the healthcare industry is under siege from cyber criminals who want to steal PHI because it’s so valuable compared to other categories of personal information; and, it’s the first question any healthcare IT professional that works for a “covered entity” will ask a prospective cloud or colocation services provider that is considered a “business associate” (BA).
Healthcare data security is your business. Learn about it in this eBook .
Therein lies the cognitive dissonance: People asking for and claiming to have something that isn’t officially sanctioned by the U.S. Department of Health and Human Services or its HIPAA-enforcement arm, the Office of Civil Rights (OCR).
“Just a minute, there, Peak 10,” you rightly say. “You claim to have HIPAA-compliant IT infrastructure and cloud services. What’s the deal?” Well, we do.
In the absence of a government seal of approval, Peak 10 contracts annually with independent auditors who are qualified to assess and attest to the fact that our data centers adhere to the rigorous policies and procedures of the HIPAA Privacy and Security rules. The third-party examination is conducted according to specific protocols defined by the OCR, and the attestation to compliance is a recognized proxy.
Any covered entity or BA that does not do this really has no idea whether they are operating according to the rules or not, or how effective their security and privacy practices are . Saying you are HIPAA- compliant without an audit is, at best, a guess (educated or otherwise), a healthcare equivalent to cloud washing. And without an audit to prove compliance, a willingness to sign a business associate agreement can mean you think or hope you are compliant or that you’re simply telling your customer what they want to hear without actually making the time, effort and investment to ensure compliance according to OCR rules. A BA that does have an attestation report should be willing to share it with you to substantiate its claim.
Learn about the regulations that affect healthcare data in the cloud with this white paper.
With all this debate about and burden of regulation, it’s easy to lose sight of what HIPAA and its many rules are all about. Protecting people, their privacy and their most personal information is the goal. Anywhere this data resides will come under the watchful eye of HHS and OCR. As headlines so frequently remind us, these data are prized by criminal elements for their completeness and, consequently, their value to perpetrate insurance fraud, secure prescription drugs, and steal identities.
The government’s focus to date has been on the covered entities. No doubt BAs will increasingly feel their pressure. With so much on their plates, healthcare IT professionals are seeking relief by turning to third-party vendors for critical services that involve PHI handling. The government follows the data. In whoever’s hands it passes, it behooves them to strictly adhere to industry best practices and processes.
It’s not only a good idea. It’s the law.