With the use of cloud technology trending upward, many cloud companies are touting themselves as “HIPAA certified.” In fact, there’s no such thing as a HIPAA certification, though software and cloud service providers may be required to comply with HIPAA rules.
What Does HIPAA Compliance Mean?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the US Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of protected health information.
In response, the HHS created the HIPAA Privacy and Security rules. The Privacy Rule established certain rights that all US citizens have with regard to protecting their health-related information. This extends to ensuring data is transmitted securely, retained appropriately, and restricted in access to certain roles.
While there is no certification to prove compliance with HIPAA regulations, the following are ways to have HIPAA compliance for SaaS:
- Identify relevant HIPAA requirements, perform self-assessment, and remediate any gaps. You can then attest to HIPAA compliance.
- Engage a third party to assist with performing a HIPAA readiness assessment and remediate gaps identified by it. Either you or the third party can attest to HIPAA compliance.
- Obtain a HITRUST assessment. This is more involved than a typical HIPAA audit, because it may include other requirements from NIST or ISO in addition to HIPAA.
What is SaaS HIPAA Compliance?
SaaS companies may be considered business associates (BA) of a covered entity (CE) that falls under HIPAA regulation. A BA is defined as any person or organization with logical or physical access to electronic protected health information (ePHI). These are typically organizations that interact with data on behalf of a health system or insurance company, or one of their vendors.
This includes but is not limited to SaaS providers, data centers, print vendors, and cloud platform providers. Specifically, you’re subject to HIPAA compliance rules if you are:
- A software developer that builds an application that collects personally identifiable data about an individual that may later be shared with a medical professional.
- A service provider whose clients create, receive, store, or transmit ePHI through your services.
As a BA, a SaaS company can be HIPAA compliant if they’ve assessed compliance and mitigating gaps. Ensuring SaaS HIPAA compliance is like an insurance policy to protect a company in the event of a data breach. No one wants a breach, but companies can help mitigate the risk of being found negligent by the Office of Civil Rights (OCR) by performing self-assessments or hiring a third party to assess their HIPAA compliance.
The key areas of HIPAA that a SaaS BA must comply with are the administrative, technical, and physical safeguards intended to prevent unauthorized disclosure or use of ePHI while it’s in transit or at rest. These focus on facility controls, access controls, user authentication, and transmission security.
Who is Required to be HIPAA Compliant with SaaS?
Not all SaaS companies maintain information that is considered sensitive. However, SaaS companies that house data internally which includes ePHI must comply with HIPAA requirements.
Even if using a HIPAA-compliant managed service provider, a SaaS company can be implicated in a data breach if they themselves cannot prove HIPAA compliance prior to the incident. The internal controls in the processing and management of ePHI, even if it is stored off-site, must be shown to be in compliance with HIPAA requirements, or the SaaS company is considered liable.
It’s important to note that SaaS companies that deal with covered entities and the general public can utilize the “HIPAA-eligible option”. This means the product or service can be configured by a covered entity or BA to be HIPAA compliant, but without that configuration it is not HIPAA compliant.
Other SaaS Regulations
In addition to the wide scope of HIPAA compliance, other types of sensitive information are governed by state and federal regulations. When working with federal or state information, for example, FedRAMP or StateRAMP is generally required. When working with criminal justice information, CJIS compliance may be requested.
In general, SaaS companies and cloud service providers will receive audit requests, making SOC 2 & SaaS compliance a good idea for many of them. A SOC 2 audit can help ensure compliance for a variety of sensitive data types.
How to Identify HIPAA-Compliant Software
The signing by a SaaS company of a Business Associate Agreement (BAA) for their clients is considered a formal, legally binding attestation of HIPAA compliance. A signed BAA is required before ePHI can be transmitted between entities. Without a BAA, both the BA and the covered entity are legally responsible for any data breach that occurs.
Of course, signing a BAA itself does not mean the SaaS company performed a full compliance assessment and remediated identified gaps or accepted risks, so it’s important to ask a SaaS BA whether they completed those steps in addition to signing a BAA. Either the SaaS company or their hired third-party auditors can attest to their compliance.
If a BA can provide an attestation of their HIPAA compliance and signs a BAA, their products would be considered HIPAA compliant, per the verbiage of the BAA.
HIPAA Compliance for SaaS Summary
SaaS HIPAA compliance is required for any BA handling, transmitting, and/or storing ePHI or personally identifiable information that will be used in medical records. There is the option to create software or services that become HIPAA compliant when configured by a covered entity that is subject to HIPAA regulations.
However, a greater measure of protection against liability for data breaches comes from a SaaS company being HIPAA compliant themselves. Obtain HIPAA compliance by performing a readiness assessment and remediating any gaps. This must be done before signing a BAA, as it attests to your compliance.
As a covered entity, any SaaS or cloud service provider you work with should be able to furnish proof of performing an assessment, in addition to signing a BAA, to prove they are HIPAA compliant. There is no such thing as “HIPAA certified”.
To ensure full compliance with applicable administrative, technical, and physical safeguards, hire Linford and Company to perform a readiness assessment. Contact us today to learn how we can ensure your SaaS HIPAA compliance before an OCR finding erodes customer and client trust.
Brian has over 2 decades of experience in System Administration and Information Security, having worked at all levels of Government (City, County, State, and Federal) and with companies ranging from startup to Fortune-20. He transitioned to auditing in 2018 and has delivered audits and attestations as varied as SOC 1 and 2, HITRUST, FISMA, FERPA, PCI, CSA-star and HIPAA. With Linford and Co, he focuses primarily on HITRUST and SOC 2.