HIPAA-Compliant Data Centers
The resources required to set up and maintain an on-premises data center are considerable, so it is no surprise that many healthcare providers are turning to the cloud and are using third-party HIPAA data centers to cut costs.
The healthcare industry is under increasing pressure to improve efficiency and patient privacy protections while reducing healthcare costs. The data center is one area where all three can be achieved. By outsourcing the data center, privacy and security protections can be improved, the physical space occupied by the in-house data center can be put to profit-making use, and costs can be significantly reduced.
HIPAA-compliant data centers can be set up to provide the same or greater level of performance as in-house data centers, the only difference being where the data is stored. Rather than use in house IT equipment that is expensive to purchase and maintain, healthcare providers just rent the capacity from a cloud service provider.
The service provider is responsible for the hardware and infrastructure that supports their data centers, as well as implementing security controls to ensure clients’ data are protected. Since data centers house electronic protected health information, hosting providers must ensure that their platforms comply with Health Insurance Portability and Accountability Act (HIPAA) Rules. Hosting companies are classed as business associates under HIPAA, and must agree to implement appropriate technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI uploaded to the platform.
A hosting company must enter into a business associate agreement (BAA) with a HIPAA -covered entity. The BAA states the responsibilities of the business associate with respect to HIPAA and ePHI, and makes the business associate legally liable for any HIPAA violations. Under the terms of the agreement, HIPAA-compliant data centers must complete regular risk analyses to identify potential risks to ePHI and those risks must be subjected to a security management process.
The HIPAA Report on Compliance, or HROC, can be used to determine whether a potential hosting provider has achieved the standards required by HIPAA. Third-party compliance assessments from leading compliance companies are also useful for determining whether all provisions of HIPAA have been considered and addressed. The reports from these independent assessments and the HROC help can save HIPAA-covered entities a considerable amount of time when conducting due diligence on HIPAA data centers.
Hosting providers typically operate secure HIPAA data centers in multiple locations. Users can select the data center closest to their location, although most hosting companies have a system that detects the fastest route to transfer data to ensure the best performance.
Outsourcing the data center has many advantages, but there are potential drawbacks. Two of the most common complaints are poor performance and downtime. These issues can be avoided by choosing a service provider that offers a service level agreement that states the performance levels and uptime that will be guaranteed. It is important to choose a HIPAA data center that has sufficient capacity, bandwidth, and redundancy to be able to guarantee 100% uptime to ensure that health data is always available on demand.