HIPAA Compliance: Communications in Healthcare
The passing of HIPAA and the HITECH Omnibus acts in the US has ushered in new stringent requirements for any company handling Patient Health Information (PHI). This includes cloud service providers that store or support the transmission of PHI data. Many cloud providers, such as hosted VoIP providers, are not equipped or capable of supporting these new requirements. Covered Entities (CEs) may not know, but even hosted VoIP providers may fall under these new security requirements if they store voicemails, call recordings or patient faxes in their cloud. In addition, even those cloud providers that claim to be HIPAA compliant may not be providing an end-to-end compliant solution if they are not delivering fully secure bandwidth and authentication-controlled end device management.
What is HIPAA and HITECH Omnibus?
HIPAA or the Health Insurance Portability and Accountability Act, was passed by the US congress in 1996 with the primary goal to make it easier for people to acquire and retain their health insurance, protect and secure protected health information (PHI) and help the healthcare industry control administrative costs. Covered Entities (CE) are those entities that actually provide the treatment, payment and operations in healthcare, while Business Associates (BA) are entities that have access to PHI and provides a supporting role to a CE. Examples of CEs can include hospitals, clinics, medical groups, healthcare professionals and consultants. Examples of BAs can include a 3rd party billing company, a cloud storage company, a patient record keeping company or even a cloud communications company.
When a cloud provider uses 3rd party technology (such as BroadSoft), service outage times will increase due to the inherent communications and procedural latencies between companies.
Both CEs and BAs must be HIPAA compliant with all HIPAA security and privacy guidelines, rules and regulations when dealing with PHI content. Additionally, a BA entity must maintain HIPAA compliance (thru a downstream Business Associate Agreement) with any subcontractors or outsourced entities that have contact with PHI content.
HITECH Omnibus, or the Health Information Technology for Economic and Clinical Health, was passed into law in 2009 to promote the adoption and meaningful use of health information technology and, specifically, electronic health records (EHR). HITECH stipulates specific HIPAA security and privacy rules and penalties that BAs must comply with and works in conjunction with HIPAA to ensure the privacy and security of PHI within CE and BA entities.
HIPAA/HITECH and Cloud Service Providers
Cloud service providers may be a Business Associate (BA) if they handle electronic PHI (ePHI). As such, the cloud provider would be subject to all the rules, regulations and guidelines of a BAA under the HIPAA and HITECH acts. Furthermore, and subcontractor or other downstream entity that the cloud provider engages that has access to ePHI would also be a BA and be subject to a downstream BAA between them and the cloud service provider.
Cloud service providers must meet and maintain stringent security and privacy standards in order to be HIPAA/HITECH compliant. However, that’s only part of an end-to-end HIPAA/HITECH compliant cloud solution.
Examples of ePHI content can include patient records, scanned patient medical images, emails, voicemails, faxes and even phone call recordings. Indeed, HIPAA and HITECH place stringent security and privacy rules and guidelines on cloud service providers that many fail to meet. These rules cover four areas including administrative, physical, technical and organizational.
Let’s take a look at each area:
- Administrative – BAs must implement security management processes and procedures to prevent, detect, contain and correct security violations of ePHI data. They must have an identified security officer and must have ePHI access management procedures in place. BAs must also have ongoing security awareness training, incident and contingency plans and periodic security evaluation.
- Physical – BAs must implement physical access control to all data centers housing ePHI data as well as any end point devices (workstations, mobile devices, IP phones) that access any ePHI data.
- Technical – BAs must implement access control mechanisms to control access to ePHI data. User authentication, access logging and auditing of ePHI data access is also required. Finally, transmission security for any ePHI data transmitted to and from the cloud must be provided.
- Organizational – BAs must implement any additional procedures and policies to ensure compliance with all HIPAA security rules. All security documentation should be in written/electronic form.
Cloud providers must not only implement the necessary HIPAA/HITECH rule and regulations themselves, but they must get any sub-contractors or third-party providers that will have access to ePHI data to also follow HIPAA/HITECH rules governing BAs. The cloud provider must have signed BAAs from each sub- contractor/3rd party in order to be compliant themselves. They will be required to sign a BAA with the CE guaranteeing compliance.
HOWEVER, obtaining a BAA from the cloud provider does not completely cover the CE, as some cloud providers would lead you to believe! From the CE’s point of view, all components in the chain must be compliant in order to be fully compliant with HIPAA/HITECH. The cloud provider is one component (albeit a large component) in the chain. The access point and connectivity to the data center represents the other components that are involved in the end-to-end cloud solution.
All three components, the cloud service provider (and data center), the connectivity circuit and the end point devices (where ePHI is accessed) must be HIPAA/HITECH compliant in order for the CE to be fully compliant and secure. If for example, the end point device is not authenticated, then ePHI data accessed from that end point may be compromised. This violates the physical security rules of HIPAA. Most communications cloud service providers do not authenticate end point devices. In addition, many cloud service providers do not provide connectivity bandwidth, thus forcing the CE to acquire bandwidth from a 3rd party. The CE would then have to get a BAA from that downstream 3rd party provider as well.
If you are using or contemplating on using a cloud service provider and have ePHI data, make sure to ask your cloud provider the following questions:
- Is the cloud service provider HIPAA and HITECH Omnibus compliant?
- Is the cloud service provider willing to sign a BA Agreement?
- Does the cloud service provider have downstream BAAs with all sub-contractors that have access to ePHI data?
- Does the cloud service provider deliver an end-to-end solution for HIPAA compliance, including not just your cloud service, but connectivity and end point device authentication security?
Delivering a HIPAA/HITECH compliant solution requires significant commitment and diligence from a cloud service provider. PanTerra is 100% committed to delivering an end-to-end HIPAA/HITECH compliant solution that not only covers the cloud service, but the end devices and connectivity components as well. This end-to-end single vendor secure solution is unique in the industry.Enhanced HIPAA Level Security Features
HIPAA/HITECH security for cloud services is critical and cloud service providers can either follow the industry or lead it. PanTerra leads by being both technology and service provider. Utilizing the most advanced cloud security technologies available, PanTerra integrates enhanced security into their unified cloud services to protect and secure ePHI content and communications across the enterprise.
Interoperability features with existing security systems and environments also means that you can be confident PanTerra’s services will fit into your existing security environment.
PanTerra's HIPAA/HITECH security enhancements include:
- Multi-Factor Authentication (MFA) on ALL devices - Includes desktops, mobile devices and IP Phones. This meets HIPAA’s workstation authentication requirement and virtually eliminates VoIP phone hacking, which can compromise ePHI security and cost companies thousands of dollars! Additional MFA administrative tools are also provided including IP range white and black listing and administration MFA request approval.
- Single Sign On (SSO) authentication - Allows single secure sign on to PanTerra services through industry standard SAML 2.0 providers including active directory, OneLogin and Okta.
- Full encryption in-transit and at-rest - All content and communications transmitted from PanTerra’s data centers to customer locations is fully encrypted both in-transit (default RC4-128 encryption) and at-rest (256-bit AES encryption) within the data centers.
- Downstream BAA compliance - PanTerra supports full HIPAA compliance for all communications and content and has obtained BAAs with downstream sub-contractors and 3rd party vendors.
- Multiple Active Device Manager (MADM) - Allows any user or admin to remotely lock out any device that might be stolen or lost.
- Re-assign owner - Allows admins to instantly re-assign SmartBox content to another user. This is useful when an employee is terminated.
- Ultra-secure data centers - Employing latest HIPAA compliant physical and cyber security technology, PanTerra’s data centers are hardened to attacks including DOS, DDOS, unauthorized access, and viruses. Data center operations are constantly scanning and monitoring for cyber-attacks and continuously monitoring for new viruses and patching any at-risk software.
- Security commitment – PanTerra is 100% committed to security and has identified security personnel (security officer) to administer, manage, review and train PanTerra employees on an ongoing basis.
Written BA Agreements
For those enterprises that require HIPAA/HITECH compliance, PanTerra has an end-to-end solution and will enter into a written BA Agreement (BAA) with the enterprise (CE). In addition, PanTerra has secured all necessary BAAs from any downstream sub-contractors or 3rd party vendors that may have access to ePHI data.
PanTerra delivers an end-to-end fully compliant HIPAA/HITECH Omnibus solution, not only securing its service and data centers, but also delivering secure connectivity and full end device authentication control.PanTerra’s end-to-end solution includes:
- Full HIPAA/HITECH Omnibus Compliant Services – PanTerra has implemented all necessary administrative, technical, physical and organizational requirements to be HIPAA/HITECH compliant for all its cloud services.
- Security Protection Extended to End Devices – PanTerra implements full Multi-Factor Authentication (MFA) for all end devices as required by HIPAA.
- Downstream BA Agreements – PanTerra has secured all necessary downstream BA Agreements with sub-contractors and 3rd party vendors.
PanTerra is fully committed to delivering a secure end-to-end cloud service solution for those enterprises that want to be compliant with HIPAA/HITECH. With PanTerra, your outsourced IT services and PHI content are safe and secure. See how PanTerra can be your HIPAA/HITECH compliant unified cloud service provider today.