The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is one of the foundational data privacy laws in the United States, setting national standards for how healthcare and insurance organizations manage protected health information (PHI) related to all healthcare transactions. Designed to reduce fraud and abuse in the healthcare system, the law fundamentally transformed the way organizations handle patient and customer health information, and forced many companies to implement much stricter healthcare data policies to protect the security and privacy of their customers.
With the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), which introduced a number of incentives designed to promote the use of electronic health record (EHR) systems, these protections were significantly expanded to cover the exchange of electronic protected health information (ePHI). Under the provisions of HITECH and subsequent updates to the law in 2013, the legal liabilities for non-compliance increased and the rules for notifying individuals and government regulators of data breaches were strengthened. It’s no surprise, then, that data center compliance standards place a big emphasis on HIPAA and HITECH compliance.
While often considered the sole concern of the healthcare industry, HIPAA and HITECH apply to any organization that handles personal health information in any capacity. This means that third-party vendors must be in compliance as well, whether they’re handling data as a contractor or subcontractor. Since most of this data is electronic, the list of potential companies that need to take compliance into consideration is quite long. More importantly, the widespread handling of electronic protected health information also increases risks and liabilities in the event of a data breach.
In June 2019, Retrieval-Masters Creditors Bureau was forced to file for bankruptcy after one of its subsidiaries, American Medical Collection Agency (AMCA), suffered a data breach that potentially exposed the personal information of 20 million people. While AMCA doesn’t perform healthcare services, it does provide billing and collection services for several leading healthcare providers. The situation provided a stark reminder of why no organization can afford to take HIPAA compliance for granted.
In order to obtain and maintain their compliance status with regards to sensitive healthcare data, data centers must demonstrate that they have implemented a number of security measures, including (but not limited to):
HIPAA violations can occur for any number of reasons. Some of the more common HIPAA claims result from failures to perform risk analysis, improper disclosures of protected health information, and failing to notify authorities or individuals of a data breach.
Of course, data breaches tend to command the most attention when it comes to high-profile HIPAA violations, as was the case with the health insurer Anthem’s record-setting HIPAA settlement and the Department of Health and Human Services in 2016.
When an organization fails to disclose breaches or doesn’t secure sensitive records properly, they can be subject to a number of fines. These fines are broken into four distinct tiers:
With scrutiny of protected health information policies becoming more intense than ever, companies need to make sure they’re in compliance with HIPAA guidelines or potentially face the risk of lawsuits, fines, media scrutiny, and, ultimately, bankruptcy. A colocation data center with a strong commitment to compliance can help provide an organization with the peace of mind they need to keep focused on the best ways to grow their business and protect their valuable healthcare data.