Family practices, medical centers, hospitals, medical insurance companies and other health-related businesses are relying on technology during their daily operations to provide enhanced medical care and other services to patients. They use a range of computing services to store and transmit patient information to provide medical examinations, test results, medical equipment, and billing work. The patient’s personal information must be protected at all times following the privacy compliance standards set for by the Health Insurance Portability and Accountability Act (HIPAA).
Operating a medical practice or business will require you to hire a hosting provider who is versed in HIPAA standards to ensure all healthcare information is kept secure and confidential from possible data breaches. Hiring the wrong provider could lead to misuse, mishandling and theft of information as well as fines leveled against your company. Before hiring a hosting provider, here are 7 essential questions to ask to ensure they will be HIPAA compliant:
- What Are Your HIPAA Compliant Hosting Services and How Do They Differ from Your Standard Managed Services?
- Can I See Your HIPAA Certifications List?
- Do You Offer Your Clients a Business Association Agreement?
- How Do You Meet Regulatory Compliance?
- Does the Hosting Provider Have an Incident Response Process?
- Have You Ever Experienced a Data Breach?
- Can You Provide a Breakdown of Your Pricing Plans?
This question should be at the top of your list as you want to know how the hosting provider created their HIPAA-compliant services. You don’t want to hire a hosting provider who simply took their standard managed services and claimed it will also be suitable for health-related businesses. They may be offering the bare minimum in trying to meet HIPAA standards. With the threat of cyber hackers compromising sensitive patient health information, you want to work with a provider who offers more comprehensive HIPAA-compliant hosting services.
Every medical business will use a range of different technologies during operations. The HIPAA hosting provider should be knowledgeable in all current technologies and have certifications in these systems to ensure that their hosting services match their client’s technological needs. If the hosting provider can’t provide any HIPAA certifications or can only show you one certification, they may not be fully equipped in providing the services you need and are only doing the bare minimum to obtain an influx of more clients.
A business association agreement (BAA) provides a written agreement regarding the required use of health information, how a business will not disclose any information outside of permitted use, how it handles health information once a contract ends, and what safeguards are in place to prevent a data breach. It should also outline the service agreement the hosting provider will have with your business. If the hosting provider doesn’t offer an agreement, the agreement is confusing to read, or it doesn’t provide a clear picture of the services they provide, it can be a clear indication that the hosting provider is not reliable enough to manage your healthcare technology needs.
You should always ask if the hosting provider is HIPAA compliant. Find out what types of audit reports they provide under which regulatory compliance standards: SSAE 16 Type II, HIPAA, or SOC 2 Type II. By finding out their IT assurance services, you can also learn how they will help you with your annual auditing tasks, if they have a dedicated security staff, and whether that staff has obtained Certified Information Systems Security Professional (CISSP) certification.
The incident response process gives you greater detail on how the client will handle any type of security breach or attack of their IT systems. It should outline the steps that the hosting provider will take to discover the breach, identify the cause, and perform remediation tactics to limit the amount of damage that occurs. The incident response report should also establish a working timeframe regarding how long it will take for the hosting provider to recover from a data breach or security attack. Also, ask the hosting provider about their business continuity plan. They should be able to provide details on how their systems function during natural disasters or outages.
Pay close attention to how the hosting provider answers this question. It doesn’t have to be a deal breaker if the company has experienced a breach, as hackers and cyber criminals are coming up with new advances in technology to break through current security systems. Yet if the company sidesteps on the answer, or admits that they have experienced a breach and yet doesn’t say how they recovered from it or what type of additional safeguards and processes were put into place to prevent the incident from happening again, this is a sure indication that the company is not one you want working for your business.
The hosting provider industry can be a very competitive business. Companies are trying to entice healthcare-related businesses to work exclusively with them, and they are offering pricing plans to coax you to work with them instead of their competitors. Yet a pricing plan that seems too low for the hosting services that they claim to provide could be a warning sign that they will take shortcuts with their operations. When you see prices that are far below standard for the pricing plans offered by other more established companies, you need to figure out why there is so much of a discrepancy.
Working with the best hosting provider can ensure that the healthcare information your business stores and uses can be kept confidential and secure. You should also perform the necessary audits of your information systems to stay in HIPAA compliance. Working with I.S. Partners can allow you meet HIPAA-HITECH standards.
We can inform you of the potential risks and vulnerabilities in your technology systems so you can take the necessary corrective action to bring your operations back into compliance with HIPAA. Send us a message or call us at 215-675-1400 today to learn more about our HIPAA-HITECH assurances and attestations work.