HIPAA Compliant Hosting: Beyond the BAA

Posted by Rebecca Santorios on January 7, 2016


525600 is the number of minutes in a year (and a song for and by hippies), it takes google 0.85 seconds to tell me that there are about 469000 web pages that mention “HIPAA Hosting”.  Cleary it’s a big deal and make no mistake hosting EHR, EMR’s and their peripheral data sets is big business.

Today there are literally thousands of Data Center’s claiming to be HIPAA compliant and boasting their Technological and Administrative safeguards. What they don’t tell you is that for the vast majority, the safeguards they are referencing are exactly the same ones they apply to Bertha’s Cat Blog and Jim-Bob’s Guide to Appalachian Moonshine (worth a read btw, skip the cat blog).  In other words they have done nothing differently, their approach to handling a million health records is same one they apply to Bertha and Jim Bob’s data. 

Apply this logic elsewhere, I am going to start a bank, it’s going to offer the highest security and I’ll keep your money in a vault. How impressive, a bank – with a vault. A bank with a vault is a minimum expectation, a datacenter that decides to lock its doors is not deserving of a high five. 

The question we should be asking is in what ways have the HIPPA and HITECH acts altered their business practices? 

If you are regulated by HIPPA and HITECH then you’ve likely sat through countless PHI awareness trainings, maybe you’ve had the joy of sitting through an online class where weird and wonderful PHI breach scenarios are thrown at you and yet, you’d sign up for Crazy Frank’s Discount Datahut because Frank locks his door and will happily sign a BAA, he’ll sign for a pizza too. Guess which means more to him?

The truth is, HIPAA compliance can only be achieved with active management of the resources that actually store the PHI. Everyone in the datacenter should be trained on PHI and understand their responsibilities. SSAE 16 and SOC have their place but they are not substitutes for a policy on Health IT and Data Privacy.

45 CFR Part 164 requires that the regulated organization conduct a risk assessment, how can that be accomplished if the custodians of their records are lacking in basic understanding and haven’t effectively risk assessed their own practices relative to PHI?

Data Centers have set an incredibly low bar for HIPAA compliance and they’ve been aided and abetted by a lack of due diligence and a desire for instant compliance. In the coming years and as electronic medical records surpass and replace paper there is likely to be a glut of civil lawsuits related to the exposure of private health data.  A pretty website filled with health IT speak doesn’t suffice, you owe it to your patients and customers to seek a truly engaged provider.

At ByteGrid we do things differently. Across all nine of our Data Centers every member of our staff is trained on PHI awareness, and Data Privacy, every one of our HIPAA regulated customers receives a comprehensive HIPAA Qualification package, unlimited audit support and 3rd party certification through EHNAC. 

You and your patients deserve more – you deserve true HIPAA compliance and at ByteGrid we deliver it.