Thinking about becoming a service provider for healthcare? You may know that the HIPAA Final Omnibus Rule ramped up the responsibility assigned to business associates such as hosters. What’s the most business-savvy way to move forward?
- Partner with a business associate that has strong HIPAA-compliant experience
- Understand the special concerns of healthcare
- Consider how long recovery will take
- Make your solution healthcare-ready
It’s compelling to look at the healthcare industry as a potential market to tap, especially with a confluence of demographic and technological trends. The baby boomers are entering their golden years, so there is higher demand. Plus, the cloud is becoming increasingly prevalent, with the third platform enhancing interoperability and increasing the prominence of patient-generated health data through patient engagement platforms.
The rise of mobile applications is another factor. Here are the responses from 2015, when PricewaterhouseCoopers asked clinicians for their level of comfort with various types of mobile apps:
| Comfortable | Uncomfortable | |
| Ear infection device/app | 74% | 26% |
| Urine analysis device/app | 53% | 47% |
| Vital signs device/app | 48% | 52% |
Clearly this data indicates that some healthcare niches are more doctor-friendly, but the real headline from the survey is that doctors are increasingly onboard with new technologies.
Here is advice to reduce risk when you work with healthcare companies.
Partner with a business associate that has strong HIPAA-compliant experience
“As a reseller, you depend on all your vendor partners,” explained MSPmentor. “But, when it comes to copying your customers’ PHI to your cloud provider’s data center, your dependence on your cloud provider also includes shared liability.”
Warning: Some cloud companies will argue that they don’t need to follow the healthcare law because of the “conduit exception” that covers entities such as the Postal Service. These providers are either being disingenuous or incompetent: providers must meet guidelines of HIPAA, as indicated in attorney resource Lexology.
It’s important to understand that you’re not passing on liability when you work with a data backup partner. You have to make sure that they are fully compliant. Look over the business associate agreement they provide carefully.
“[R]eview their Business Associate Agreement to find out exactly what their role is in protecting your customers’ data,” advised MSPmentor. “The agreement should spell out several ‘What if?’ scenarios, ranging from data breaches to the provider going out of business.”
Other than the legal agreement, you want to make sure that the data backup provider has strong encryption mechanisms in place. For instance, Dropmysite uses military-grade, 256-bit AES (advanced encryption standard) encryption – developed by Belgian cryptographers Joan Daemen and Vincent Rijmen, and adopted by the National Institute of Standards and Technology.
Understand the special concerns of healthcare
Since the healthcare field has become more technologically based in recent years, issues of accessibility and reliability can save lives. Furthermore, privacy and security of patient data is paramount, as encoded in federal regulations governed by the HHS.
Although HIPAA compliance is all over the news, hackers are increasingly targeting healthcare companies. For instance, 84.5 million combined records were breached when Anthem and Community Health Services were infiltrated. If you want to get the attention of healthcare companies, focus on data backup and security when discussing options, with the following questions:
- What data backup plan do you currently use? What you are trying to find out is whether or not the firm is currently in compliance with HIPAA and HITECH. Many aren’t, as indicated by the HIPAA “Wall of Shame”. “Even if they’re encrypting the data, there’s a good chance their backups are being performed manually,” noted MSPmentor, “which almost always leads to backup inconsistency.”
- What about DR? Do they use NAS? Strong disaster recovery uses multiple locations. Do they back up to an external cloud provider?
- What safeguards any data stored off-premises? You want to keep in mind two basic aspects related to information stored elsewhere: encryption and security. MSPmentor agrees that 256-bit AES encryption should be used, pointing out that it’s the standard used by federal agencies to secure top-secret files.
You want the provider go beyond AES-256, though. For example, Dropmyemail leverages SSL-encrypted endpoints, a firewall that limits ports and allows you to specify IPs, and industry-standard DDoS mitigation tactics.
Consider how long recovery will take
If a healthcare company’s system went down, how quickly could you get it back online? This answer is critical, both to please your customers and to protect patients.
Get the client to understand that recovery can be complex – unless you use one-click download, as described below.
“Some will be surprised to learn that … it could take several days for them to recover from a server failure after adding up all the time necessary to order a new appliance, convert the data, load drivers, an operating system, and other files onto the new appliance,” said MSPmentor.
Make your solution healthcare-ready
Healthcare is a tricky market to tackle. However, the revenue potential is incredible. You just need to make sure that everything is properly encrypted and fully compliant.
Regarding that final note on recovery time, you can download their entire site from us with just one click. Just because HIPAA compliance is complex doesn’t mean it has to be difficult.
