Health Care Organizations Seek HIPAA-Compliant Hosting
Services providers in the government and retail sectors face compliance duties — the Federal Information Security Management Act and the Payment Card Industry Data Security Standard (PCI), for example. The same holds true in healthcare, where the Health Insurance Portability and Accountability Act (HIPAA) sets a data protection standard for healthcare providers and health plans (“covered entities” in HIPAA jargon) as well as their business associates. The business associate label applies to companies whose business with providers and plans involves working with protected health information (PHI). Data processing is one such business. This regulatory environment has created a niche for HIPAA-compliant hosting.
Online Tech, a managed data center operator based in Ann Arbor, Mich., is pursuing that field. The company this week announced that MedHub, a healthcare software company that works with academic teaching hospitals, has tapped Online Tech for HIPAA-compliant colocation services.
Online Tech’s SAS 70 compliance provided the initial baseline for its HIPAA work, which intensified this year.
“In 2011, we decided to fully invest in getting all of our data centers independently HIPAA audited by a Certified HIPAA Professional and Certified HIPAA Security Specialist to go to the furthest extent possible to meet HIPAA compliance,” said Mike Klein, president and chief operating officer, at Online Tech.
The company offers to share the results of the HIPAA compliance report with clients under a non-disclosure agreement.
Taking the time to check a provider’s compliance only makes sense given the potential costs of a HIPAA breach. An entity violating HIPAA may be fined up to $1.5 million annually.
“With the increased risk and severity of data breech penalties, it’s imperative that anyone touching PHI can prove they have done as much due diligence as possible in every aspect of their business processes and IT infrastructure,” Klein noted.
The HIPAA focus has helped the company expand its scope.
“Traditionally, we tend to have more regional customers with our colocation services,” Klein said. “But in the compliance spaces that require PCI or HIPAA compliance, we’re finding a widespread distribution across the country.
HIPAA compliance customers range from physician groups to the SaaS companies that support them, he noted. Online Tech may offer a combination of hosting and managed services on a given project. For example, the company’s work with Biotronic, which provides neurophysiological intraoperative monitoring services, involves data center services, offsite backup, and disaster recovery.
Storage represents another opportunity. Providers and healthcare vendors are beginning to look at outside providers to handle increasing amounts of electronic data and images. Coding Compliance Solutions, a company that specializes in medical coding, came to Online Tech for storage.
“They found that they were easily using up to a TB of storage space per client,” Klein said. “I think we’ll see the need for a lot of HIPAA compliant SAN storage solutions in the very near future.”
HIPAA-related opportunities may be growing, but becoming compliant requires a fair amount of commitment.
“We’re finding a huge demand for HIPAA compliant data centers, but very few data centers have invested in independent HIPAA audits,” Klein said. “Meeting HIPAA compliance is an all-in initiative — either the whole company meets compliance across the board, or you don’t meet the audit standards. The processes and security training touch every employee in the entire company.”
Klein said Online Tech’s compliance background eased the impact of its HIPAA audit. The company’s history of independent compliance audits includes SAS 70, SSAE 16, SOC 2, and SOC 3.
The time and expense of a HIPAA audit will keep many service providers away. But for those companies already on the compliant hosting track, HIPAA could offer up a new market with seemingly limited competition.