A question we’ve been fielding lately is, “How do cloud software companies like Pau Spam address HIPAA compliance?”
This is an important topic for 2014, as we are in the early stages of the convergence of two macro trends in computing: Compliance Services and Cloud computing.
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data. Any organization that deals with Protected Health Information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
This includes Covered Entities (CE): those who provide treatment, payment and operations in healthcare. Business Associates (BA), or anyone with access to patient information and provide support in treatment, payment or operations are also included. In addition, subcontractors of Business Associates must also be in compliance.
Is my Organization a Covered Entity?
In the eyes of the Federal government, a Covered Entity is one or more of the following:
- A Health Care Provider that conducts certain transactions in electronic form (otherwise known as a “covered health care provider”).
- A Health Care Clearinghouse.
- A Health Plan.
If you still aren’t sure, you can refer to this Covered Entities chart here
Still stuck? Contact us and we’ll help you.
What is Cloud computing?
Cloud computing means storing and accessing your data and programs over the Internet instead of your computer’s hard drive. The term “cloud” is a metaphor for the Internet.
Oftentimes, organizations rent out computing power from cloud vendors rather than purchase and configure actual servers. That’s exactly what we’ve done at Pau Spam since 2012.
In other words, instead of buying and maintaining actual servers, we’ve migrated our entire Software as a Service (SaaS) platform into the cloud.
If you are storing my PHI data in the cloud, how do I know it’s secure?
That’s an excellent question. First, our cloud infrastructure provider, Amazon Web Services, is HIPAA compliant. Second, we make sure the software we build is HIPAA compliant and securely written.
For example, we built our secure file-sharing service Paubox to use 256-bit encryption to transmit data.
We also use 256-bit encryption to make sure the data is stored in an encrypted state once it reaches Paubox.
Third, we are willing to sign a Business Associate Agreement (BAA) with a CE. A BAA is a relatively new requirement that establishes a service agreement between Business Associates like us and Covered Entities. The obligations placed upon BA’s are quite extensive and if not followed, stiff fines are possible. We thus have a HIPAA attorney on retainer to help us understand and navigate these issues.
We explained that HIPAA compliance is a federal standard for protecting sensitive patient data. We’ve outlined who must adhere to it, Covered Entities, and how to determine if you are one or not. We’ve also talked about cloud computing and our commitment to it. Lastly, we outlined three tangible factors for how a cloud software company like us can be HIPAA compliant:
- On the backend, choose a HIPAA compliant cloud vendor
- On the frontend, build your software from Day 1 with HIPAA compliance in mind
- Understand, adhere, and be willing to sign Business Associate Agreements
We hope you found this post useful. Contact us today to see how we can help you.