HIPAA is a big deal in the US for most businesses involved in the health sectors. And if these companies are HIPAA compliant – and they want to outsource HIPAA hosting or store data in Canada – they need to work with a provider that offers HIPAA compliant managed services.
HIPAA stands for the Health Insurance and Portability Accountability Act of 1996. Its first purpose was to allow patients to obtain new health insurance when switching jobs even if they have a pre-existing condition. It was also the first US act to systematically regulate what it called Protected Health Information (PHI): personal medical documentation such as bills, claims, prescriptions, lab results, medical opinions, and appointment records. The act went into effect in 2003 and primarily affects health insurers, sponsored health plans, and medical service providers.
HIPAA also addressed the growth of networked ICTs in the 90s by including provisions regulating standards for electronic PHI (ePHI) transmitted through insurance billing and the digital sharing of medical information. These regulatory efforts became urgent in an era of increasing computerization: electronic databases and online report filing that replaced difficult-to-find, single copy medical charts with electronic documents that are now instantly accessible from virtually anywhere. Not surprisingly, the 90s coincided with a spike in public concern over digitization and public privacy protection.
Today, HIPAA regulations apply similarly to PHI and electronic PHI (ePHI). And the penalties for infractions, in either case, can be steep. According to the American Medical Association, HIPAA minimum penalties run at $100 per violation. Maximum penalties go as high as $50,000 per violation and up to an annual maximum of $1.5 million. “Knowingly” obtaining or disclosing PHI may result in up to five years imprisonment – and up to ten years if done for commercial gain.
HIPAA’s privacy concerns have contemporary relevance in areas including electronic health records (EHR), accountable care organizations, telemedicine, health information exchanges, and with other technologies like mobile devices and cloud computing.
HIPAA Hosting in Canada for MSPs
The act has gone through some considerable changes since its implementation in 2003. And knowing some of the changes in underlying HIPAA definitions is critical for Canadian Managed Service Providers (MSPs) providing HIPAA hosting in Canada on behalf of US clients.
Amendments in 2009 and 2013 beefed up HIPAA’s compliance and enforcement provisions and created more rules for dealing with ePHI. The 2013 HIPAA Omnibus Rule distinguished Business Associates from covered entities, and indicated the former were “directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.”
To explain, the original HIPAA Security Rule laid down administrative, technical and physical standards for dealing with ePHI. Initially, these applied to covered entities who were responsible under HIPAA for establishing, enforcing and tracking risk management, breach reporting, data handling and disaster recovery strategies.
The 2013 Omnibus Rule expands the Security Rule to explicitly include contractors who may only be dealing with ePHI at second and third-hand levels. To clarify further, a June 2013 article from BakerHostetler law firm titled “HIPAA, Business Associates, and the Cloud” says cloud providers are not HIPAA-exempt. Instead, it suggests custody of sensitive data, and not the degree of access is the guiding principle determining whether an MSP is liable under HIPAA.
The implications of this opinion should be clear: Canadian MSPs who deal with US healthcare companies are in many cases responsible for ensuring they are HIPAA complaint. Failing to do so may put their clients and themselves at risk.
Thankfully, the Security Rule provides leeway by remaining open on measures such as what hardware and software to use; what encryption methods to employ; and how to train and certify employees. This flexibility allows MSPs room to implement context specific compliance appropriate to the scale of their organization. It also avoids locking covered parties into using obsolete technology.
What MSPs Must Specifically do to be Compliant
Cartika and others certified to deliver HIPAA hosting in Canada must meet the following requirements. First, the organization is expected to sign what’s called a “Business Associates Contract” where an MSP takes liability for elements such as infrastructure, data center and managed services.
The HSS Security Papers lay out more detailed guidelines for HIPAA compliance which asks organizations to consider and document “reasonable and appropriate” security measures in making their choices. The papers include discussion of
Facility Safeguards: secure door locks, electronic access systems, restricted access signage, alarms, property control tags, identification badges, security officers, or video monitoring. It can also include tracking maintenance and workstation use; creating visitor sign-ins and escorts, and keeping tabs on device and media re-use and disposal.
Security Awareness and Training: annual HIPAA certification courses for staff; periodic retraining for workers to adapt to changing hardware, software, environment and policies; employee security reminders about malware and phishing emails; log-in monitoring and password management; and so on.
Access Controls: features such as user identification, emergency access procedures, automatic logoffs, two-factor identification, and encryption/decryption to ensure safe data transmission where it travels across open networks.
Audit Controls: advanced logging and log maintenance, and other measures deemed “reasonable and appropriate” to ensure continued network monitoring for privacy breaches and unauthorized access.
Data Integrity: offsite data backups as part of a disaster recovery plan, as well as consideration of other measures that automatically check data integrity, such as checksum verification, digital signatures, double-keying and message authentication.
Another opportunity for MSPs is to specialize by industry vertical or application. This has been a long-time trend in the hosting space, but MSPs have found it difficult because they have had to contend with the time, cost and effort that goes into managing the infrastructure layer. One thing is for certain, in this new reality, MSPs can provide significant value far beyond managing servers, networks, and storage. They can also create more profitable revenue streams than they could in the recent past as the price of IaaS has eroded.
The Bottom Line for HIPAA Hosting in Canada
Any company hosting HIPAA-compliant data in Canada needs a compliant hosting provider. This is to provide HIPAA-compliant data encryption, disaster recovery, reporting, vulnerability scanning, and other measures ensuring the integrity and privacy of US ePHI.
Furthermore, while HIPAA can feel like an obligation, managed services who specialize in network security and data integrity can create opportunities for themselves in Compliance-as-a-Service (CaaS). Canadian MSPs, in particular, are well-positioned to provide HIPAA hosting for lower costs and with better security than most in-house IT operations can.