This article explores HIPAA compliance as follows:
- Must Canadian Firms Comply?
- 2015 Prediction from OCR Attorney
- Conversation with Montréal Company
- Finding Worry-Free Partners
Must Canadian Firms Comply?
Many healthcare businesses operating in the United States are based in other countries, and there is often confusion about the extent to which those companies must meet HIPAA law. There are no exceptions: any business that processes, stores, or transfers protected health information (PHI) must follow the privacy, security, and breach notification rules described in Title II of the Health Insurance Portability and Accountability Act of 1996, regardless of where they are headquartered.
“If you’re obligated to comply with HIPAA, and you have a data breach,” warns Ontario IT firm WW Works, “you could be facing very large fines or legal action from the United States.”
2015 Prediction from OCR Attorney
David Holtzman, who used to be an attorney for the HHS Office of Civil Rights, noted in GovInfoSecurity that he thinks the OCR will take more “high-profile” enforcement actions this year.
His perspective is based in part on the early December OCR settlement with Anchorage Community Mental Health Services. This Alaska provider was fined $150,000 for exposing 2700 patient records by failing to patch software properly. That settlement is the first since Jocelyn Samuels took over the director post.
“This resolution agreement could signal that OCR is regaining its footing after the transition to a new leadership team and will be moving ahead more aggressively,” argues Holtzman.
Currently, the OCR site states that there are 6000 complaints and audits under investigation.
Conversation with Montréal Company
The following conversation is based on an interaction with a client needing a HIPAA compliant system for their Canadian business.
Consultant:
Thank you for contacting Atlantic.Net. Please tell us about your hosting needs.
Client:
I’m looking for a cost-effective HIPAA-compliant hosting solution with a BAA. We are based in Montreal.
Consultant:
We can only provide a HIPAA Server out of our Orlando, Florida, datacenter. If you would like us to send you a formal proposal, we will need answers to the following questions. I have attached a copy of our BAA and HIPAA audits for your review.
- Do you require a Linux or Windows-based platform?
- How much storage space do you require for the data, and do you need Encrypted Storage?
- How many internal users will be accessing the hosting platform?
Client:
Initially, we are developing a free app, essentially a pill reminder for iOS and Android. The online portion is an API, and data is encrypted by us.
Linux server. Not sure whether we need encrypted storage, but let’s assume with and without.
At this point, I don’t have an estimate for storage size. The free app will have minimal needs, but our full product may need more. Give me some ideas for cost so I can budget this better.
Internal users mean what? Programmers? Admins? Assume 1 of each, I guess.
Consultant:
If you are encrypting the data yourself, then you do not need Encrypted Storage. The smallest amount of storage we can provide is 500 GB. The pricing for this is actually on our website, but on our website, it says 160 GB of storage. We are providing 500 GB for the same price.
This is the link to the pricing, and it would be $xxx per month on a 24-month agreement.
You can add extra services to this package as follows:
- Fully Managed Daily Backup (extra $xxx per month)
- cPanel w/ WHM for Linux (extra $xxx per month) – You will need this if you are not familiar with operating a Linux hosting platform from the command-line interface level.
- Trend Micro Deep Security (extra $xxx per month) – or you can install your own antivirus software.
The hosting platform comes with ( 5 ) Encrypted VPNs, so if you only have two internal users, you have plenty of VPNs you can use to connect to the hosting platform.
Our HIPAA hosting platforms include only Private Dedicated Hardware, so the Firewall. Intrusion Detection System and Dedicated server are allocated to each individual customer.
I have attached two more documents for your review that encompass our Fully Managed Hardware Firewall, Intrusion Detection System, Encrypted VPNs, and Fully Managed Daily Backup.
Client:
This seems reasonable to me. I’ll discuss this with my team over the next week and will get back to you soon.
Thanks for the speedy reply!
Finding Worry-Free Partners
As you can see above, we are highly familiar with HIPAA and business associate agreements, specializing in healthcare compliance solutions for the past six years. Complete Healthcare Solutions vice president Joseph Nompleggi said of our HIPAA Compliant Hosting, “Our partner’s financial strength and proven track record are something we view with great confidence.” Atlantic.Net also can offer VPS hosting that offers 100% uptime.