HIPAA and related data protection or privacy regulations don’t apply to just health care providers. They also apply to anyone involved with the transfer, storage, retrieval and review of relevant information. This is a natural result of the industry’s migration to more-connected technologies and systems.
Often abbreviated as ePHI, electronic protected health information records are essentially digital versions of a patient’s medical data. As technology advanced, the health care industry was pushed to keep up — hence the adoption and development of virtual records and supporting systems. However, the more data there is to work with, the more pressure it puts on the systems and the hardware used to power a network.
To avoid the responsibilities and the added pressure of maintaining a large data center on-site, many health care providers opt to employ cloud-computing and remote storage solutions. That is exactly where data centers and cloud providers come into play.
However, it’s a rather common misconception that getting involved with health care providers and companies leaves the onus on them to protect shared data. That’s not the reality. In fact, data center and storage providers are just as liable for a breach of compliance.
For example, in January 2012, Minnesota’s attorney general filed a lawsuit against Accretive Health, alleging that the company failed to protect more than 23,000 patient health care records under its care.
Accretive, which is now R1 RCM Inc., provides health care facilities with management software that handles patient registration, insurance, billing and collections tracking. This also means it comes into direct contact with ePHI, as any data provider would. It’s easy to see the implications of this particular legal suit and how it might concern data center and data management teams.
Data Center Compliance Requirements
Companies and providers that collaborate with qualified HIPAA facilities must follow the same guidelines and compliance requirements — including meeting standards set forth in HIPAA and HITECH. That’s why it’s a good idea for data center managers and related parties to brush up on these compliance standards. It might even be necessary to acquire a HIPAA or related certification, to ensure a full understanding of the requirements.
Proper security must be in place to protect sensitive data, systems that are used to access it, and the sharing and retrieval of stored information. That means security is a concern not just within the walls of the data center but also on-site at the medical facility, especially for systems that can tap into a provider’s network. Certain administrative, physical and technical safeguards must be put in place, at both endpoints, to ensure compliance and protection.
HIPAA compliance is often verified by independent authorized auditors. In many cases, a data center must pursue a HIPAA-compliant or colocation certification to prove they meet all necessary guidelines. Believe it or not, there are five official HIPAA titles to acquire, all worth pursuing.
HIPAA touches on the following aspects of the data environment:
What Are the Penalties?
Finally, it makes sense to talk about what could happen as a result of noncompliance.
Parties or entities that fail to disclose a breach or don’t secure the privacy of sensitive records generally incur severe fines and penalties, some of which include:
Furthermore, individuals and entities alike face prison time for not disclosing information about a breach or protected information access.
We’re talking about incredibly serious repercussions for noncompliance, including jail time for the mishandling of information after a breach.
It’s important that data providers understand not only how to protect the sensitive data they’re handling within their facilities, but also how to proceed in the event of a breach or compliance failure.
Kayla Matthews writes about data centers and big data for several industry publications, including The Data Center Journal, Data Center Frontier and insideBIGDATA. To read more posts from Kayla, you can follower her personal tech blog at ProductivityBytes.com.