Among companies handling patient records, the Health Information Technology for Economic and Clinical Health (HITECH) Act is old news. Going into effect in February 2009, this legislation sought to advance health information technology use standards to eventually make certain functions and safeguards mandatory, increasing the requirements for compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Software as a Service (SaaS) providers, though, may not be fully aware of the significance of HITECH as it relates to their handling of data. A SaaS that deals with healthcare information, such as one that provides practice management or electronic health and medical record (EHR/EMR) applications, is subject to the same compliance standards as the medical institution itself.

Compliance gets fairly complicated, as one might expect. Privacy safeguards apply to the vast majority of patient data, and HITECH demands evidence of administrative (policy/procedure) safeguards, physical security (local access to hosting hardware) and technical safety (remote access/communication control).

Addressing HIPAA HITECH’s requirements takes a skilled IT team who can manage compliance, plus external audit and IT resources. That’s all as expensive as it sounds, but there is another option available.

SaaS providers seeking secure, scalable infrastructure to handle medical data are increasingly using third-party managed or hybrid hosting solutions. Hostway, in partnership with StillSecure, offers a third-party audited HIPAA HITECH-specific compliance bundle that addresses the bulk of compliance concerns. At the same time, partnering with a hosting provider like Hostway also provides SaaS businesses with expert technicians, proven tools and technology, and certified processes.

Third-party hosting suppliers should be carefully assessed for compliance capability across managed servers, private clouds and hybrid clouds. Ideally, an auditor-approved solution is available that specifically addresses HIPAA HITECH compliance.

Here’s a quick look at what a SaaS should demand of a hosting partner where HITECH is concerned:

  • Policies and procedures: A reliable security operations center should be backed by change control management, daily security log reviews, periodic firewall rule configuration reviews, alert escalation and incident response procedures.
  • Analysts: Response time is a big element of compliance. Around-the-clock IT availability on security and HIPAA HITECH management is essential. Worldwide threat monitoring and ability to address incoming customer inquiries are also key components.

SaaS providers have to take a serious look at how they are securing the data that passes through their applications. But rather than invest the time and money to build up a HIPAA HITECH compliance solution of their own, these companies should shop for an independently audited solution from a hosting provider. What a SaaS needs is out there, ready to go at a minor expense relative to do-it-yourself compliance. Look for a vendor with a package of proven network security and compliance technologies, a comprehensive data center safety plan, and round-the-clock expert monitoring and management. Then let them handle the hosting, so you can stick to what you do best – the business of developing and providing your software to the healthcare practices that depend on you.

To learn even more about HIPAA HITECH and available solutions to help keep your business in compliance, attend Hostway and StillSecure’s free webinar on November 28, 2012. Reserve your seat now.

Tags: , , , ,