Ever since the stimulus package passed in 2009, the reach of regulatory requirements has been extended to reach beyond healthcare providers to include all the business associates, such as accountants, lawyers, IT providers, etc. who work with these providers.
With this extension in the law, organizations are not only reliant on the services they provide each other, they are now also reliant on each other to be compliant. In effect, anyone and everyone that touches protected patient health information is accountable and could be penalized for their failure to comply with the HIPAA/HITECH regulatory requirements.
Patient health information must be secured, privacy must be ensured, the patient/consumer needs to understand what is being shared and exposed, and the provider must obtain an explicit agreement from the patient as to what can be shared.
Naturally, the depth and breadth of the requirements raise a concern for businesses that consider moving some or all of their operations to the cloud as an alternative to their traditional on-premises IT services, and that’s the issue of losing control over their data.
Why bother with the cloud at all?
There are benefits with businesses moving some or all of their operations to the cloud. As an example, some hospitals don’t often have a well-developed IT infrastructure to support the ongoing regulatory developments and their related audits. Therefore, private cloud/hybrid cloud options come squarely into play as a way to achieve this objective while also consolidating systems and processes, thereby driving down costs.
Another good example is the option to overcome the lack of in-house IT personnel and knowledge required to manage all of the systems, technologies and related business operations on a daily basis. This is where an outsourced IT business model can produce tremendous results for some difficult items such as preventing system intrusions, preventing internally-driven data breaches, and encrypting patients’ information while stored on servers and transmitted to other entities using encryption technologies.
With more than 3 million providers and business associates that must show they are compliant with HIPAA/HITECH, the cloud is certainly the best way for a majority of them to proceed.
Take advantage of low-flying cloud costs
The first step to gaining control of healthcare compliance is to understand the requirements and to perform an assessment of the current working environment against those requirements.
To maintain control of the process and the data, one should perform a self-guided assessment without requiring any protected data to leave the business. The protected patient health information should stay with the business during the assessment, only the assessment information should be securely stored in the cloud using a SAS70 certified datacenter.
All entities involved in meeting the requirements must be rolled into the survey and analysis. This includes all covered entities (CEs) and business associates (BAs). The results of the survey should provide a clear view into the gaps exposed, as well as identify which gaps need to be further assessed for risk. The potential damage from not addressing the risk should be made obvious by the solution as well.
Once the risks and compliance gaps are assessed, the next step is to take definitive measures through processes and safeguards to mitigate risks that address compliance and security risks.
The traditional way to handle this process would be to install some software or an appliance directly onto the network. As most hospital networks understand, this can be both costly and difficult to maintain. However, by bringing this to the cloud, collaboration across business boundaries can be performed with little investment in deployment and maintenance.
One of the key benefits in moving a process to the cloud is that the service should not cost a lot upfront, not cost a lot for the subscription, and not require payments when the service is not being used.
How to begin an assessment
Most hospitals simply don’t know where to start. The unknown can be overwhelming for them. The complexity of the problem is directly related to the unknowns in meeting the requirements. Most businesses will stop their evaluation at understanding what HIPAA mandates and are unlikely to move beyond the initial assessment to gap identification and risk assessment.
An easy way for businesses to begin their assessment is by asking themselves a simple set of questions: Do you travel with a laptop? Do you manage patient information? How and where is the patient information stored, accessed, used and transmitted? Would your business be impacted by a breach of this data through any means captured in these questions?
Another common hurdle that often challenges a number of hospitals is selecting and implementing the most appropriate solution for their business. Directly tied to this are the costs of acquiring the resources needed to perform the implementation and maintenance. To further exacerbate the problem, assessment is not a one-time event, forcing the business to revisit this problem over and over again.
What’s the icing on the cake? Audits. If a business gets audited, they will certainly want to have the information be able to stand up to the scrutiny of the auditors – historically, year after year – for every audit for which they are subjected.
Let the cloud provider spend the money
We are reading more stories and articles that capture the trend that the public cloud could in fact be more secure than even the organization’s own in-house network. That’s because the cloud provider will likely spend more resources to secure the environment, probably a great deal more than the limited-resourced hospital is able to invest alone.
As IT security may not be a key skill set for the hospital, by leveraging the cloud, the business can perform operations more securely and within regulatory guidelines.
All health-oriented businesses that are using, accessing, storing, and sharing patient information must realize that meeting the HIPAA/HITECH requirements is like getting a yearly physical exam. If your annual physical is annually ignored, the business might find itself with a business process being stricken with a regulatory disease that is hard to treat or too late to cure.
**********
About the Author
Anupam Sahai is president of eGestalt Technologies, a provider of IT security, governance, risk management and compliance (IT-GRC) solutions based in Santa Clara, Calif. With more than 21 years of IT experience and three worldwide patents, Sahai has held positions with Silicon Graphics, Hewlett Packard and Microsoft. He holds a bachelors degree in engineering from IIT Kharagpur, India, a masters in Computer Science from IIT Kanpur, India, a masters in engineering and an MBA degree from The Sloan School of Management at MIT. You can reach him at anupam.sahai@egestalt.com.
PDF 
