As a provider of patient portal, SaaS (software as a service) applications, and hosting solutions to the healthcare industry, we get asked this question a lot. Before we can answer it question correctly, we must first understand how HIPAA relates to software and hosting, and what is involved in HIPAA compliant IT.
The Health Insurance Portability and Accountability Act was enacted in 1996 to address the growing use of technology in healthcare, specifically the transaction of health information between providers, employers and health insurance plans. You don’t need to read the entire 349-page document to understand a few important principles of HIPAA. Here are some of these considerations and relevant certifications.
- HIPAA makes almost zero reference to technical specifications required for hardware or software security. And even if it did, they would be completely out of date – the law having been passed in 1996 – and surely would not contain much relevant information pertaining to new technologies like SaaS software and cloud hosting. Therefore, it’s important not to read into false claims made by companies about the use of certain brands of firewalls, servers, operating systems or server architectures.
- You cannot be “HIPAA certified.” HIPAA is a set of rules and best practices. There is no certifying body for the government that certifies software, hosting companies or health organizations on HIPAA.
- You can be audited by a variety of governing bodies for HIPAA compliance. Other certifications do exist that may include some of the rules or best practices found in the HIPAA guidelines. Some of these certifications include:
- SSAE16 – An auditing standard created primarily for the financial services industry verifying hosting company’s’ physical and software security standards. Hosting companies that are audited receive reports demonstrating compliance for SOC 1, SOC 2 or SOC 3.
- ONC-ACB – An Office of the National Coordinator certification for healthcare software companies to certify their software on a variety of security and functional items.
Keeping the above in mind, the answer, when it comes to considering cloud servers and SaaS applications HIPAA compliant, is that the software itself is only part of the big picture. If there was a HIPAA certification for SaaS software, it would not guarantee HIPAA compliance – there could still be faults in the hosting, the computer being used, user authentication, or the user using the software in a public place.
There is no specific provision in the HIPAA guidelines that opposes the architecture of a cloud server, VPS server or SaaS application (even though by nature these are “shared” architectures). One must, however, consider the HIPAA guidelines that do exist that pertain to encryption, user authentication and other best practices.
Editor’s Note: This post was originally published in March 2013, and has been updated with links to current resources and additional information about HIPAA compliance auditing.