Why Your Data Center Needs to be HIPAA and HITECH Compliant
By: Rob Morris on August 6, 2019
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is one of the foundational data privacy laws in the United States, setting national standards for how healthcare and insurance organizations manage protected health information (PHI) related to all healthcare transactions. Designed to reduce fraud and abuse in the healthcare system, the law fundamentally transformed the way organizations handle patient and customer health information, and forced many companies to implement much stricter healthcare data policies to protect the security and privacy of their customers.
With the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), which introduced a number of incentives designed to promote the use of electronic health record (EHR) systems, these protections were significantly expanded to cover the exchange of electronic protected health information (ePHI). Under the provisions of HITECH and subsequent updates to the law in 2013, the legal liabilities for non-compliance increased and the rules for notifying individuals and government regulators of data breaches were strengthened. It’s no surprise, then, that data center compliance standards place a big emphasis on HIPAA and HITECH compliance.
How HIPAA Compliance Impacts Your Business
While often considered the sole concern of the healthcare industry, HIPAA and HITECH apply to any organization that handles personal health information in any capacity. This means that third-party vendors must be in compliance as well, whether they’re handling data as a contractor or subcontractor. Since most of this data is electronic, the list of potential companies that need to take compliance into consideration is quite long. More importantly, the widespread handling of electronic protected health information also increases risks and liabilities in the event of a data breach.
In June 2019, Retrieval-Masters Creditors Bureau was forced to file for bankruptcy after one of its subsidiaries, American Medical Collection Agency (AMCA), suffered a data breach that potentially exposed the personal information of 20 million people. While AMCA doesn’t perform healthcare services, it does provide billing and collection services for several leading healthcare providers. The situation provided a stark reminder of why no organization can afford to take HIPAA compliance for granted.
Data Center HIPAA Compliance Checklist
In order to obtain and maintain their compliance status with regards to sensitive healthcare data, data centers must demonstrate that they have implemented a number of security measures, including (but not limited to):
Routinely auditing to maintain data security (especially when healthcare data is involved) and operational readiness.
What Are the Penalties for HIPAA Violations?
HIPAA violations can occur for any number of reasons. Some of the more common HIPAA claims result from failures to perform risk analysis, improper disclosures of protected health information, and failing to notify authorities or individuals of a data breach.
Of course, data breaches tend to command the most attention when it comes to high-profile HIPAA violations, as was the case with the health insurer Anthem’s record-setting HIPAA settlement and the Department of Health and Human Services in 2016.
When an organization fails to disclose breaches or doesn’t secure sensitive records properly, they can be subject to a number of fines. These fines are broken into four distinct tiers:
Tier 1: This tier applies to organizations that were unaware of a violation and would not have been aware of the violation had they been conducting reasonable due diligence in accordance with HIPAA guidelines. Fines can range between $100 to $50,000 per violation, capped at a maximum of $25,000 per year.
Tier 2: In this case, the organization either knew or should have known about a violation had they been exercising reasonable due diligence. Tier 2 HIPAA fines range between $1,000 to $50,000 per violation, up to a maximum of $100,000 per year.
Tier 3: When organizations demonstrate “willful neglect” of HIPAA guidelines, but correct the violation within 30 days of discovery, they can be subject to a $10,000 to $50,000 fine for every violation, up to a maximum of $250,000 per year.
Tier 4: A company that shows “willful neglect” of HIPAA guidelines and makes no effort to correct the problem within 30 days face even steeper fines, beginning at $50,000 per violation and going as high as $1.5 million per year.
With scrutiny of protected health information policies becoming more intense than ever, companies need to make sure they’re in compliance with HIPAA guidelines or potentially face the risk of lawsuits, fines, media scrutiny, and, ultimately, bankruptcy. A colocation data center with a strong commitment to compliance can help provide an organization with the peace of mind they need to keep focused on the best ways to grow their business and protect their valuable healthcare data.
About Rob Morris
Rob Morris is the Director of Program Management and the ISMS Manager. Rob chairs the vXchnge Information Security Council and manages the compliance campaigns and is our customer liaison.
Subscribe to vXchnge Blog
Speak to an Expert About Your Company's Specific Data Center Needs