HIPAA Compliance for SaaS
HIPAA compliance for SaaS is one of the many HIPAA-related topics full of if, buts and maybes. In this case, the reason for there being so many possible answers to questions about cloud services is because the original Health Insurance Portability and Accountability of 1996 Act was enacted long before cloud services were commercially available.
The subsequent HITECH Act of 2009 and the Final Omnibus Rule of 2013 make limited references to any technical specifications, leaving many developers, service providers and hosting companies in the dark about HIPAA compliance for SaaS. However, there are some guidelines and best practices businesses developing, providing or hosting cloud services should adopt.
What is HIPPA Compliance for SaaS?
In relation to software developers and service providers, HIPAA compliance for SaaS means adherence to the administrative, technical and physical safeguards of the HIPAA Security Rule – provided the products you develop or the services you provide involve the creation, use or transmission of Protected Health Information (personally identifiable data about an individual). For example:
- If you are software developer, and you build an application that collects personally identifiable data about an individual that may later be shared with a medical professional, you are subject to HIPAA compliance for SaaS developers.
- If you are a service provider whose clients create, use or transmit Protected Health Information through your services, you are subject to HIPAA compliance for SaaS providers and may have to execute a Business Associate Agreement with selected clients.
With regard to SaaS hosting companies, there is no specific provision in the HIPAA Security Rule safeguards that opposes the architecture of a cloud server, VPS server or SaaS application – even though by nature these are “shared” architectures. However, most HIPAA-covered Covered Entities and Business Associates will want to know that you offer an HIPAA-eligible option.
Key Areas of HIPAA Compliance for SaaS Providers and Hosting Companies
For most developers building eHealth apps for personal use, HIPAA compliance will not be an issue. For further clarification on this point, please refer to our article on HIPAA Compliance for Medical Software Applications. For SaaS service providers and hosting companies, the key areas to focus on are the administrative, technical and physical safeguards of the HIPAA Security Rule.
The administrative, technical and physical safeguards are intended to prevent the unauthorized disclosure or use of Protected Health Information while it is at rest or in transit, and – in respect of HIPAA compliance for SaaS providers and hosting companies – focus on facility controls, access controls, user authentication, and transmission security.
Further information is provided about each of these key areas of HIPAA compliance for SaaS providers and hosting companies in our free-to-download HIPAA Compliance Guide. However, when reading our guide, it is important to note the terms “required” safeguards and “addressable” safeguards take on a different context when applied to SaaS providers and hosting companies.
The Difference between Required Safeguards and Addressable Safeguards
In all circumstances, if a safeguard is “required”, it is compulsory. The safeguard must be implemented and there are no exceptions. “Addressable” safeguards have been interpreted by some as a safeguard “we must get around to addressing sometime in the future”. This is not the case – especially in relation to HIPAA compliance for SaaS providers and hosting companies.
An addressable safeguard is one that must be implemented unless a suitable alternative is implemented in its place, or it is determined the addressable safeguard is unnecessary in the circumstances. The reason(s) why an alternative or no safeguard is implemented must be chronicled after conducting a risk assessment and developing a risk mitigation strategy – both of which must also be chronicled.
An example of an “addressable” safeguard that takes on a different context when applied to SaaS providers and hosting companies is encryption. A healthcare provider could implement an alternative or no safeguard if the PHI created, used and maintained was confined to a private, secure network. This could not be the case in the context of HIPAA compliance for SaaS providers and hosting companies and so the safeguard of encryption would become “required”.