Cybersecurity has become an increasingly important aspect of web development, especially if your website handles confidential information, like patient records. According to HIPAA Journal, there were 33 data breaches reported in January of this year, alone. That amounts to almost 500,000 exposed healthcare records! Most of these breaches are a result of hacking and IT incidents. Not only does a breach put patients’ information at risk, but it also carries an expensive penalty for the covered entity. With the Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, healthcare companies are required to protect medical information and enforce confidential correspondence between patients and professionals.
Covered entities (hospitals and healthcare providers, for example) are responsible for ensuring technical, physical, and administrative safeguards. This includes everything from encrypted emails to HIPAA compliant hosting. These safeguards and policies are in place to keep records safe in the case of a hack or even if a laptop gets stolen. When it comes to hosting a website that transmits personal information, whether it be on a server or through a third party, covered entities are still responsible. However, as a hosting provider, there are steps you can take to provide HIPAA compliant services.
Basic Safeguards
As a hosting provider, you can implement safeguards at the hardware, software, and application level. Websites that need to be HIPAA compliant are commonly hosted on an encrypted VPN or a dedicated server. This provides the optimal amount of resources and privacy. In addition, the server needs to employ firewalls. With any hosting plan, Sevaa provides firewall configuration, managed backups, and routine penetration tests. We also offer SSL certificates, which establish a secure and encrypted connection between your website and the server.
In addition, hosting providers should also keep activity logs and audit controls. Having these policies in place before an incident occurs can save you a lot of time and stress. If there is a breach, don’t panic! Having a risk management policy and contingency plan provides a protocol that you can look to for guidance. Having multiple backups ready for restoration also help mitigate the stress of a breach or a server malfunction. Be sure to document all of your processes including your strategy for data disposal and record destruction. Being transparent about your strategy to prevent emergencies (and to resolve it if it does happen) promotes trust and confidence between hosting providers and covered entities.
Business Associate Agreement
In the case when a covered entity contracts hosting provider, they will need to provide a Business Associate Agreement (BAA). This contract gives the hosting provider, or business associate, access to sensitive data and holds them accountable for its protection and security. A BAA includes 10 major provisions:
- How much protected health information (PHI) the Business Associate is allowed to disclose.
- The business associate will not release more than what is stated in the contract.
- Ensure that the business associated has the basic safeguards (described above) in place.
- Encourage transparency in the case of a breach.
- The business associate can not withhold PHI when a patient asks for his/her own records.
- Clarify which components of the HIPAA Privacy Rule the business associate is responsible for.
- The business associate should make accessible its internal practices, policies, and records for the US Department of Health and Human Services.
- If the BAA is terminated, the business associate must return or destroy all PHI received from the covered entity.
- Contractors in association with the business associate must also sign the BAA.
- Finally, the covered entity has the right to terminate the BAA if the business associate violates any rules listed in the contract.
Although it is primarily the responsibility of the covered entity to ensure HIPAA compliance, hosting providers can take the necessary measures to ensure best practices. Sevaa Group offers HIPAA-compliant hosting, and generally encourages cybersecurity at every level of development. With a DevSecPps approach, we focus on data security and privacy from the onset, so that developers don’t have to troubleshoot after a site goes live and clients don’t have to stress.