HIPAA and related data protection or privacy regulations don’t apply to just health care providers. They also apply to anyone involved with the transfer, storage, retrieval and review of relevant information. This is a natural result of the industry’s migration to more-connected technologies and systems.
Often abbreviated as ePHI, electronic protected health information records are essentially digital versions of a patient’s medical data. As technology advanced, the health care industry was pushed to keep up — hence the adoption and development of virtual records and supporting systems. However, the more data there is to work with, the more pressure it puts on the systems and the hardware used to power a network.
To avoid the responsibilities and the added pressure of maintaining a large data center on-site, many health care providers opt to employ cloud-computing and remote storage solutions. That is exactly where data centers and cloud providers come into play.
However, it’s a rather common misconception that getting involved with health care providers and companies leaves the onus on them to protect shared data. That’s not the reality. In fact, data center and storage providers are just as liable for a breach of compliance.
For example, in January 2012, Minnesota’s attorney general filed a lawsuit against Accretive Health, alleging that the company failed to protect more than 23,000 patient health care records under its care.
Accretive, which is now R1 RCM Inc., provides health care facilities with management software that handles patient registration, insurance, billing and collections tracking. This also means it comes into direct contact with ePHI, as any data provider would. It’s easy to see the implications of this particular legal suit and how it might concern data center and data management teams.
Data Center Compliance Requirements
Companies and providers that collaborate with qualified HIPAA facilities must follow the same guidelines and compliance requirements — including meeting standards set forth in HIPAA and HITECH. That’s why it’s a good idea for data center managers and related parties to brush up on these compliance standards. It might even be necessary to acquire a HIPAA or related certification, to ensure a full understanding of the requirements.
Proper security must be in place to protect sensitive data, systems that are used to access it, and the sharing and retrieval of stored information. That means security is a concern not just within the walls of the data center but also on-site at the medical facility, especially for systems that can tap into a provider’s network. Certain administrative, physical and technical safeguards must be put in place, at both endpoints, to ensure compliance and protection.
HIPAA compliance is often verified by independent authorized auditors. In many cases, a data center must pursue a HIPAA-compliant or colocation certification to prove they meet all necessary guidelines. Believe it or not, there are five official HIPAA titles to acquire, all worth pursuing.
HIPAA touches on the following aspects of the data environment:
Assigned security responsibility or the implementation of suitable security policies and procedures
Workforce security that ensures employees, vendors and partners can access only the appropriate levels of information
Information access management that establishes employee access controls
Security awareness and training across the board, especially for data center managers and active employees
Security incident procedures that document protocol for what to do in the event of a security breach
Contingency plans in case of a natural disaster or major failure
Evaluation that details scheduling for periodic evaluations of security
Business associate contracts and other arrangements that detail the responsibilities of contract workers, partners and other business associates
Physical safeguards for on-site protection
Technical safeguards for portable devices and external hardware requirements
What Are the Penalties?
Finally, it makes sense to talk about what could happen as a result of noncompliance.
Parties or entities that fail to disclose a breach or don’t secure the privacy of sensitive records generally incur severe fines and penalties, some of which include:
Monetary fines at $100 per violation and $25,000 per year for each subsequent violation
Willful neglect resulting in noncompliance of HIPAA calls for fines of $10,000 to $250,000 per year, even if the problem is fixed within a reasonable timeframe
Willful neglect that is not correct can be $50,000 to $1.5 million
Furthermore, individuals and entities alike face prison time for not disclosing information about a breach or protected information access.
We’re talking about incredibly serious repercussions for noncompliance, including jail time for the mishandling of information after a breach.
It’s important that data providers understand not only how to protect the sensitive data they’re handling within their facilities, but also how to proceed in the event of a breach or compliance failure.
About Kayla Matthews
Kayla Matthews writes about data centers and big data for several industry publications, including The Data Center Journal, Data Center Frontier and insideBIGDATA. To read more posts from Kayla, you can follower her personal tech blog at ProductivityBytes.com.