Picture the scene: the surgeon peers over the patient lying sedated, covered on the operating table. Lights shine on the targeted area of the abdomen where the physician intends to operate.
“Scalpel,” the surgeon states confidently, and the razor sharp instrument is placed in her talented hands. She leans in, ready for the procedure to begin.
As the tool touches skin, the patient wakes up, bolts upright with eyes ablaze and stares at the team.
“But what about the security of my personal electronic medical data?!?” he yells.
Didn’t expect that? I bet you weren’t thinking about that one bit, and you aren’t alone. While many companies are entering the healthcare and healthcare tech markets with new tools and applications that enable medical professionals to do their jobs better, focus is often lost on the teeth of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act.
HIPAA and the HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology. Simply put, it gave teeth to the already ratified HIPAA with minimum ($100) and maximum ($250,000) per violation fines along with maximum cumulative fines for violation of the same provision ($1,500,000). The HITECH Act also notably added personal criminal penalties, meaning that individuals convicted of violating these provisions could stand meaningful jail time—up to ten years – and a Civil Monetary Penalty (CMP) of up to $1.5M per provision violated.
Many IT professionals in the healthcare fields generally know about HIPAA, and some may perform a cursory look for some sort of badge promising HIPAA compliancy before signing on with an infrastructure service provider. But choosing a HIPAA-compliant data center has become even more important because the penalties for violations can be severe.
Both the monetary and criminal penalties are determined by a subjective sliding scale based on the nature and extent of the violation and the harm resulting from the violation on a per-record basis. Why is that important when talking about Internet infrastructure? Because these records don’t tend to travel in ones and twos but rather one and two thousand—or more.
As such, the penalties for violations can quickly escalate at an eyebrow-raising level for healthcare and healthcare tech companies that are either in direct contact with electronic patient health information (ePHI)/Electronic Medical Records (EMR) or indirect contact via Business Associates (BA), who are also subject to the same penalties. Examples include improper encryption when transmitting ePHI over email or not having a sufficient audit trail in place for PHI/EMR systems. Additionally, working with a Business Associate without having the appropriate Business Associate Agreement (BAA) in place can result in hefty fines and possibly jail time.
HIPAA-compliant data centers
Ongoing consolidation in the healthcare industry is creating a need for increased collaboration across healthcare providers, healthcare technologies and plans. But complying with the HIPAA Privacy and Security Rule is exceedingly challenging. This leaves many healthcare and healthcare tech companies scratching their head as to how to strike a balance between establishing an infrastructure that meets business needs while also adhering to HIPAA law requirements. Safe to say that it’s more important than ever for an organization – be it a Covered Entity or a Business Associate – to ensure they’re doing business with a service provider that fully understands HIPAA legislation and the very serious penalties that enforce it through the HITECH act.
Internap is proud to provide HIPAA-compliant colocation, managed hosting and private cloud environments for our customers. What’s more, Internap is one of the few service providers that can offer a HIPAA-compliant hybrid environment allowing healthcare organizations to create a best-fit infrastructure to meet HIPAA-compliant hosting requirements. We have extensive experience migrating healthcare tech customers to our HIPAA-compliant environments.
If you’re with an organization impacted by HIPAA and are interested in focusing on doing what you do best instead of worrying about your healthcare infrastructure, please reach out to us. While we won’t have the gauze, iodine or scalpel, we will have the colo, managed hosting and private cloud that the doctor ordered.