Q&A: Online Tech's April Sage Explains How HIPAA's New Rules ...

April Sage, Online Tech director of healthcare vertical for CPHIMS discussed how the new HIPAA rules will affect web hosting companies.

As the healthcare industry sets to comply with new Health Insurance Portability and Accountability Act regulations beginning March 26th, web hosting providers are forced to consider how these broader patient-privacy rules could impact their operations and practices.

From now on, web hosts will be directly responsible for proving that a breach caused no damage. This means that web hosting companies will need to?to implement security protections for all data and transactions, effectively creating a paper trail for every customer transaction.

Many web hosts have already announced in the past few months that they have updated their security practices to comply with the new HIPAA rules, including Online Tech and Peak 10.

In this expansion to the 1996 act, the new HIPAA regulations provide greater protection for patients by broadening health-information privacy, as well as?ensure that these rules also apply to vendors that contract with the healthcare companies.

Web hosts and other businesses will have until September 23rd to comply with the new HIPAA regulations.

In an email interview with the WHIR, April Sage, Online Tech director of healthcare vertical for CPHIMS discussed how the new HIPAA rules will affect web hosting companies and their practices.

WHIR: How will these new HIPAA regulations give healthcare customers greater protections?

April Sage: Protecting sensitive information is hard to overstress in the current climate of aggressive cyber threats. The black market value of patient information, potential for patient harm or embarrassment, and damage to the reputation of care providers and the vendors supporting them makes a breach of protected health information a high-stakes game. The final HIPAA privacy and security rules released January 17th clarify that the responsibility to protect health information extends throughout the chain-of-trust; that includes hosting providers whose clients might store, transmit, or process protected health information. We are Business Associates, in the eyes of the Department of Health and Human Services. As such, we?re subject to the same criminal and civil liabilities as the health care providers, referred to as Covered Entities, that we serve. Granted, it can make for a sobering gulp at first glance of a Business Associate Agreement, but PHI is like live ammo ? you have to take adequate protections.

WHIR: Do you think these regulations will help cut down the number of security breaches for your customers?

AS: Online Tech grew up with compliance, starting with Sarbanes-Oxley regulation. Between that and other standards like PCI DSS, we were already engaging in annual independent audits, cultivating a culture that was highly process-oriented and focused on following standards and consistent procedures. The HIPAA privacy and security rules didn?t introduce many surprises in terms of technical or physical safeguards, but it did change our approach to administrative safeguards. For example, one big change for Online Tech in becoming HIPAA compliant was the extension of HIPAA security training conducted throughout the entire organization, beyond those dedicated to security and technology. As a company, it made us more aware of why compliance is important, and contributed to a higher level of security awareness.

When a company as a whole is united and aware of the importance to protect PHI, and we have all eyes and minds thinking about it; that has to help security. After all, uninformed human error is one of the biggest contributors to breaches. It also helps our security and technical staff that the company as a whole has a good understanding of and supports the policies, procedures, and security restrictions they ask us to abide by. For companies that aren?t used to a comprehensive culture of compliance and security, these regulations will force more attention to policies and procedures across the entire organization.

WHIR: What is Online Tech doing in order to comply with the new HIPAA regulations?

AS: Online Tech began the HIPAA compliance journey with a risk assessment and gap analysis against the administrative, technical, and physical safeguards by a Certified HIPAA Security Specialist. The challenge in the first audits was trying to interpret fairly vague guidelines in terms of what was appropriate for a hosting provider. We based many of our controls on basic security frameworks as a guideline. Last year, we had the benefit of following the OCR Audit Protocol which gave us a better framework for our auditors to follow. We?ve relied heavily on close partnerships with our healthcare IT attorneys and independent auditors to give us critical feedback on our controls. It?s not something you can realistically do yourself; it?s just too easy to avoid the hard, honest interpretations where you have some work to do when budget and time constraints get challenged. We?ll continue investing in annual independent HIPAA audits to make sure we?re staying current with modifications to the rules as our products and services continue to evolve.

WHIR: Are there any regulations you would add that you think the Department of health and Human Services may have overlooked?

AS: In some ways, it would be easier if the Department of Health and Human Services were more prescriptive in their definition of the safeguards. Part of the problem is that the HITECH legislation covers such a widely diverse network of health care providers and vendors that it?s not realistic to get to a granular level of detail. The list of exceptions quickly becomes complex if you try to define specific technologies, policies, or procedures for all Business Associates. Those who are in the IT fields have looked to common security frameworks such as NIST to draw from in defining appropriate safeguards. The same ideas may not apply for BAs who are installing remote monitoring devices or law firms who may have PHI in the course of representing Covered Entities or groups of patients. Perhaps the Office of Civil Rights will release more detailed regulations as time goes on and they have the benefit of the takeaways from the KPMG audits. In the meantime, those in the technical space will have to look towards familiar security frameworks when it comes to specific IT implementations to protect PHI.

WHIR: Do you think these new regulations will lead to increased prices for your HIPAA compliant hosting services?

AS: Online Tech invested in independent auditing and additional safeguards early in the game, so those protections are already baked into our costs. We?ve been able to leverage our legacy of compliance to be competitively priced despite the additional administrative safeguards. We don?t see our pricing for our HIPAA hosting services increasing because of the final rules that take effect March 26, 2013. We are seeing many of our traditionally colocation customers in the healthcare space inquire about moving to private clouds when it comes to spending capital on a full hardware refresh. In this way, we expect our clients to continue moving into higher levels of managed services.

Talk back: Have you already updated your practices to comply with the new HIPAA regulations? Do you think web hosts like Online Tech will see increased business from healthcare companies as a result of their early compliance with the new HIPAA rules? Let us know in a comment.

About Justin Lee

Justin Lee has been a staff analyst with theWHIR since 2004. He writes about a range of web hosting and IT-related issues facing the industry on the WHIR website, as well the print version of the WHIR magazine. Follow him on Twitter @Justin_theWHIR.

Source: http://www.thewhir.com/web-hosting-news/qa-online-techs-april-sage-explains-how-hipaas-new-rules-will-affect-web-hosts

ups Aj Mccarron Girlfriend linkedin linkedin CES 2013 joe budden notre dame