Ensuring Effective HIPAA Compliance with ‘Buy rather than Build’ Approach
Over the last two decades HIPAA has undergone several changes, as the role of technology in healthcare industry has advanced multifold. It would be fair to say, HIPAA compliance has been more of a moving target which is indicated in the graph below, showing an increase in the complaints that the Office for Civil Rights (OCR) has investigated and resolved in last one decade. These numbers suggest that entities are facing problems while dealing with HIPAA compliance.
In the context of healthcare startups, they face an uphill task of building their product or service and at the same time being HIPAA compliant in their business transactions. Given the fact that, startups are aiming for a shorter time-to-market, achieving and maintaining HIPAA compliance by doing everything from scratch may not be the best strategy. Understanding the complex rules and then implementing required steps would take considerable amount of efforts. A better strategy is to leverage external vendors and adopt “buy rather than build” approach, to have a smooth ride towards HIPAA compliance.
In the last few years healthcare industry has seen emergence of HIPAA compliance vendors, also referred as HIPAA hosting providers. These vendors posses HIPAA expertise and provide solutions and services for companies to achieve and maintain HIPAA compliance. Typically, these vendors offer services to meet requirements laid out in the physical safeguards and administrative safeguards. Some vendors also have services for technical safeguards. The finer details of the services vary from vendor to vendor.
- The physical safeguards are generally taken care of by providing a secure hosting environment and having a security policy around workstation and media device usage.
- The administrative safeguards are implemented by performing risk assessment, security awareness training, creating incident response and contingency plan.
- In the case of technical safeguards, compliance vendors may not fulfill all the needs, as some specific measure and decision are required to be implemented while building the product itself. Some examples of such specific measures are password policy, session timeout, email contents, notification content, logging (content and frequency), authentication mechanism, encryption and decryption etc. For technical safeguards, you may rather prefer a vendor who has expertise in building healthcare applications with HIPAA compliance.
Making the right choice of a HIPAA hosting provider is going to be the key to success over here. While selecting a compliance vendor you might want to consider the following guidelines. This will help you in making an informed and right decision.
- Services Offered: One needs to carefully compare the services offered by different providers and understand the finer details of their offering. You need to understand their security processes, encryption algorithms, backup procedures and other similar details clearly. In case the provider offers a trial version of the service, you might want to use that and evaluate how it fits to your need.
- Customer Support: Evaluate your business needs, use cases and your skill, and decide the type of support you would need from a vendor. “Do they offer 24 hours support?”, “What is the response time?”, “How much downtime can I afford?” are some of the questions you may have answers to while looking at this aspect.
- Audits History: Check with the vendor if they have been audited in the past as per the OCR (Office for Civil Rights) HIPAA audit protocol. If yes, make sure to review their audit report.
- Business Associate Agreement (BAA): Please check with vendor if they are willing to sign a BAA. It is necessary to sign a BAA with an entity who would handle the PHI (Protected health information) of patients.
Once you have a provider who can take care of the HIPAA compliance activities, you can strongly focus on building the product and other business aspects. However, one should always remember HIPAA compliance is not a one-time activity, rather it’s an ongoing process. As the product is built and the business process evolves over a period of time, you should revisit your measures to maintain HIPAA compliance and work on updating them, whenever needed.