Health Care: What HIPAA Means for Data Centers
Mike Klein is president and COO of Online Tech, which provides colocation, managed servers and private cloud services.MIKE KLEIN
For the health care industry, the increasing pressure to implement meaningful use, reduce healthcare costs, and improve care outcomes while protecting patient interests has led to strategic review and overhaul by many healthcare providers and vendors. Balancing the benefits of outsourcing data center and hosting services with the risks of engaging an off-premise business associate is daunting. That’s especially true in the wake of penalties and fines imposed by the Department of Health & Human Services and the Office of Civil Rights for PHI (protected health information) breaches.
Protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) is the essence of the HIPAA Security Rule. Since data centers typically store, transmit or process ePHI, they must comply with the HITECH standards and citations to meet HIPAA compliance. The same risk analysis, administrative safeguards, physical safeguards, technical safeguards and ongoing due diligence apply just as much in the data center as in a provider’s facility.
Data Centers Could Be Held Responsible
While there is some debate about the responsibilities of business associates for the protection of ePHI, all indications point towards business associates being held as responsible as covered entities. Consider the latest notice of proposed rulemaking that speaks to the extension of responsibilities from covered entities to business associates:
“As with the Privacy Rule, the Security Rule requires covered entities to have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they receive, create, maintain or transmit on behalf of the covered entities.”
Both covered entities and business associates should bear in mind that prosecution by the Office of Civil Rights (OCR) under HITECH is not the only legal concern. Last year, there was a significant increase in state and consumer lawsuits against both covered entities and business associates. For example, in January 2012, Minnesota Attorney General filed a lawsuit against Accretive Health, for failing to protect the confidentiality of over 23,000 patient healthcare records.
The safest and most diligent practice to protect ePHI is to ensure that the same policies, risk management, safeguards and ongoing compliance governance standards are followed no matter where ePHI resides. This means that data centers, whether in-house or outsourced, need to fully embrace complete responsibility for ePHI. In the areas of administrative safeguards, such as ongoing HIPAA awareness and training for all employees, healthcare providers tend to be stronger. In the areas of technical safeguards and PHI availability, professional data center companies that invest extensively in redundant facility infrastructure and security may be the safer bet.
Ideally, either a healthcare provider would have infinite resources to build and maintain multiple, high-availability data centers or a data center hosting Business Associate would have a thorough understanding of HIPAA compliance including a HIPAA security risk analysis and management, policies, training of all employees, and ongoing HIPAA compliance audits.
What Makes A Data Center HIPPA Compliant?
Data centers need to adhere to the administrative, physical and technical safeguards and standards set forth by the HITECH act to be HIPAA compliant. The Security Management Process described under §164.308(a)(1) includes requirements for HIPAA Risk Analysis and Risk Management, which “form the foundation upon which an entity’s necessary security activities are built.”
The data center’s HIPAA Report on Compliance, sometimes referred to as an HROC, provides the baseline for the risk analysis and management plan. This also serves as a useful point of comparison across the various HIPAA standards, citations, and implementation specifications when outsourcing to a third-party data center business associates.
Data center providers who have invested in an independent HIPAA risk assessment should be able to provide a copy of their HIPAA compliance report upon request, at least under NDA. When a data center business associate can provide a HIPAA compliance report, it saves covered entities (CEs) significant costs of evaluating HIPAA compliance, which should happen in advance of entering into a partnership. If a CE elects to outsource data center hosting services to a business associate that does not have, or does not provide, an independent HIPAA report on compliance available, the CEs will have to bear the burden of evaluating compliance and proving due diligence.
Other Administrative Safeguards that should be in place in all data centers that store, transmit, or process ePHI include:
- Assigned Security Responsibility §164.308(a)(2)
- Workforce Security §164.308(a)(3)
- Information Access Management §164.308(a)(4)
- Security Awareness and Training §164.308(a)(5)
- Security Incident Procedures §164.308(a)(6)
- Contingency Plan §164.308(a)(7)
- Evaluation §164.308(a)(8)
- Business Associate Contracts and Other Arrangements §164.308(b)(1)
Beyond administrative safeguards, there are physical safeguards, technical safeguards and organizational requirements (including the ability to sign a Business Associates Agreement) that are key considerations in building a HIPAA compliant data center. Online Tech has resources on its website about the intersection of the health care and data center industries.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Basics of Risk Analysis and Risk Management; http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
Typo on the second header – should be ‘What Makes a Data Center HIPAA Compliant?’
[...] Health Care: What HIPPA Means for Data Centers For the health care industry, the increasing pressure to implement meaningful use, reduce healthcare costs, and improve care outcomes while protecting patient interests has led to strategic review and overhaul by many healthcare providers and vendors. Balancing the benefits of outsourcing data center and hosting services with the risks of engaging an off-premise business associate is daunting. That’s especially true in the wake of penalties and fines imposed by the Department of Health & Human Services and the Office of Civil Rights for PHI (protected health information) breaches. [...]
Data centers with healthcare clients should consider a SOC 2 addressing privacy based on the AICPA’a generally accepted privacy principles. GAPP aligns well with the requirements of HIPAA. As covered entities, SOC 2 will help them assess the controls you have in place as a business associate.
Brian – Thanks for your comment. Certainly SOC 2 brings a somewhat better level of objectivity to data center audits than SSAE 16 (SOC 1), but it is not a substitute for a HIPAA audit. HIPAA requires specific policy, personnel training and breach remediation processes that are not covered in SOC 2 audits. In addition the HIPAA security rules are very different than SOC 2 standards.
We support 4 different audits for each of our data centers: SSAE 16, SOC 2, HIPAA and PCI. Each audit has its own purpose and own requirements. While SOC 2 helps data centers move towards a more objective audit, it’s not a substitute for HIPAA or a PCI audit.
You can bet that HHS isn’t going to accept SOC 2 as a proxy for HIPAA compliance when it comes to penalties associated with PHI breaches. The only real diligence is a HIPAA Report on Compliance.