The Institute for Critical Infrastructure Technology<\/a> recently reported an alarming 47 percent of Americans had their healthcare data compromised in the past 12 months. The healthcare industry has been\u00a0the most heavily targeted in terms of reform and regulations, yet it is seemingly the most under-prepared in terms of infrastructure compliance. The economic advantage to move to a cloud-based infrastructure is becoming more of a popular choice in the industry, given that it can quell\u00a0some of the surrounding concerns plaguing HIPAA compliance and the cloud.<\/p>\n If vendors don\u2019t have a Statement on Auditing Standards (SAS) 70 Type II, then they shouldn\u2019t even be in compliant hosting. Period<\/em>. This is the hallmark of a well-run PCI\/SOX\/HIPAA compliant infrastructure. A SAS 70 Type I only states that policies and procedures exist, although it does not ensure that the Business Associate (aka cloud vendor) adheres to them. SAS 70 Type II takes it a step further and actually tests the controls and operations over a specified time period. SAS 70 Type II guarantees a much more comprehensive and transparent environment to secure your data.<\/p>\n A Statement on Standards for Attestation Engagements (SSAE) 16 is the latest auditing standard and currently replaces the SAS 70 standard as of 2012. Data centers and managed service providers that host systems pertinent to their customers' reportings are absolutely accountable for pushing certain controls and procedures in those systems.<\/p>\n Compliance with current auditing standards significantly increases the security and management of patient\u00a0data and it is vital to know that your vendor also understands that importance.<\/p>\n Further steps include a provider showing you evidence of aggressive penetration testing performed\u00a0on their systems. This exemplifies that they are indeed serious about treating your data with integrity and is an excellent sign to show off on HIPAA audits.<\/em><\/p>\n Since 2009, the Federal Government has been\u00a0encouraging a \"carrot\" and \"stick\" approach to motivate the move towards the usage of electronic health records (EHRs). Billions of dollars in incentives are provided to healthcare providers if they play by the rules made by the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act (ARRA).<\/p>\n The \"stick\" in this case,\u00a0represents\u00a0the enforcement laws carried out by the Office of Civil Rights<\/a>\u00a0(OCR) for violating HIPAA rules. These results can\u00a0accumulate fines with upwards of thousands and sometimes millions of dollars in penalty. Covered Entities\u00a0also receive a permanent etch in history for being inducted\u00a0into the HIPAA Wall of Shame<\/a>.<\/p>\n Make sure that the architecture can be\u00a0built to meet the metrics outlined for Meaningful Use. As a reward for designing a compliant infrastructure, the Medicare and Medicaid EHR\u00a0incentive programs<\/a>\u00a0will\u00a0reimburse healthcare providers with incentive payments for implementing\u00a0certified Health IT modules. Once your\u00a0architecture is tested to meet the standards and criteria regulated\u00a0by\u00a0the U.S. Department of Health & Human Services (HHS) it needs to become certified by the\u00a0ONC-Approved Accreditor<\/a> (ONC-AA).<\/p>\n Ask\u00a0your provider to explain the outcomes of\u00a0your architecture build. It should provide flexibility to customize health IT to support physicians, allow open application program interfaces (APIs) to flourish and play nicely with the infrastructure, and should prioritize interoperability by Federal Standards to promote real-world uses of the technology. There should never be any business models that would otherwise inhibit or impede data from being readily available when it comes to the needs of patients.<\/p>\n Find out how your cloud solution addresses protected health information (PHI) and what specific ways the architecture is being designed to meet Meaningful Use.<\/p>\n By far the\u00a0most misunderstood element between healthcare providers and cloud vendors. Many vendors like to advertise that they will take full responsibility (usually after the fact an incident occurs, conveniently), but ultimately it\u2019s up to the healthcare provider\u00a0to practice HIPAA compliant regulations. Vendors can send emails, warning red flag behaviors, and monitor for unusual activity, but both sides need to acknowledge responsibility in the event of a breach, outage, or data leakage.<\/p>\n Take the time to go over your Business Associate Agreement (BAA) and discuss in detail what expectations should apply for both parties so that a mutual understanding is signed, sealed and delivered.<\/p>\n By investigating these three aspects, this will\u00a0ensure that you are practicing the\u00a0due diligence on achieving HIPAA compliance with the cloud by:<\/p>\n The\u00a0investment\u00a0in planning your\u00a0cloud Infrastructure as a Service (IaaS) should\u00a0allow you to\u00a0manage your\u00a0care through protected\u00a0access\u00a0and grant\u00a0safe sharing of health information. Start filling the skills and resource gaps of your IT department so you can focus on solving patient needs, instead of playing \"Operation\" on servers.<\/p>\n","protected":false},"excerpt":{"rendered":" To aid healthcare providers who are interested or are looking to make the next step to a cloud solution, here are three mission-critical questions you need to examine before signing on the dotted line with cloud vendors. The Institute for Critical Infrastructure Technology recently reported an alarming 47 percent of Americans had their healthcare data […]<\/p>\n","protected":false},"author":10,"featured_media":12805,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[946,617],"tags":[1036,990,1056],"class_list":["post-259","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-compliance","tag-cloud","tag-healthcare","tag-hipaa","post-wrapper"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/posts\/259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/comments?post=259"}],"version-history":[{"count":0,"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/posts\/259\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/media\/12805"}],"wp:attachment":[{"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/media?parent=259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/categories?post=259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wowrack.com\/en-us\/wp-json\/wp\/v2\/tags?post=259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Are your data centers regulated by SAS 70 Type II (SSAE16)?<\/strong><\/h2>\n
How will cloud providers design a HIPAA\u00a0compliant architecture?<\/strong><\/h2>\n
What am I responsible for and what is the vendor responsible for?<\/strong><\/h2>\n
\n