4 Myths Surrounding HIPAA Certification for Hosting Providers
As more physicians are integrating their patient EMR with third-party patient portals, they’re looking for clarifications on many issues in order to stay within the various regulations boundaries and to be Meaningful Use-attested. It can be difficult to differentiate fact from misconception, however, so let’s clarify and dispel 4 myths related specifically to HIPAA certification among hosting providers.
Myth #1: My current or prospective hosting provider is HIPAA certified.
Fact: There is no such thing as a HIPAA certification for any organization, hosting company or provider. There are guidelines, and there are certifications that may include some or all of the guidelines as set forth in HIPAA. It is therefore impossible for a hosting company, patient portal vendor, or other health IT developer to be HIPAA certified. (A hosting company can, however, acknowledge what HIPAA is and state that they adhere to these regulations in their own business practices or in a particular product offering – which is currently being done with some hosting companies.)
Myth #2: My current or prospective hosting provider is SSAE16 certified.
Fact: In the hosting world, there’s an audit standard called SSAE16 (formerly SAS70). It’s important to understand that this is an auditing standard, which is a guide used for attestation to the standard. Therefore, there is no such thing as “SSAE16 certification.”
You can, however, complete an SSAE16 attestation engagement and receive different levels of reports. These reports are geared towards organizations that offer outsourced services that could affect the financial statements of a company using their services. Organizations that handle customer financial data receive a SSAE16/SOC 1 report. IT Infrastructure-as-a-Service (IaaS) solution providers – like most hosting companies – are audited under a based on AT section 101 of AICPA professional standards and are issuing SOC 2 and SOC 3 reports. The guidelines as set forth in SSAE16 generally encompass the guidelines of standards such as HIPAA and PCI.
Myth #3: HIPAA is generally focused on how companies (and especially health providers) handle patient information.
Fact: In most cases, hosting companies don’t “handle” data. Therefore, it’s generally a low-risk situation as compared to how the software “transmits” data or how the “covered entities” (healthcare organizations, payers, EMR and patient portal vendors, etc.) control data access. There are some specific “rules” that can be interpreted as rules that a typical hosting organization would need to follow in order to meet HIPAA guidelines. It is, however, the responsibility of the healthcare organization to implement best practices to ensure that the data is kept secure from start to finish.
Myth #4: HIPAA has minimum server hardware requirements.
Fact: HIPAA guidelines don’t provide or even mention specific hardware requirements such as the use of firewalls or “certified” servers as some industry experts suggest. You can certainly receive advice from 3rd party vendors, but “caveat emptor” (let the buyer beware)!
Here are some additional HIPAA resources:
- Summary of HIPAA Privacy Rule
- HIPAA-compliant configuration guidelines for Information Security in a Medical Center environment
- ONC-OTCB Certification Programs & Policies
- Understanding SSAE18 Compliance