SaaS HIPAA Compliance Considerations & Certification Clarifications

With the use of cloud technology trending upward, many cloud companies are touting themselves as “HIPAA certified.” In fact, there is no such thing as a HIPAA certification. There is also no HIPAA rule that requires independent assessment. Companies are welcome to self-assess themselves, with the caveat that simply claiming yourself as HIPAA compliant won’t help if your company is associated with a data breach. Consider the following example of what could happen to a software as a service (SaaS) company in the event they are implicated in a data breach (example company heretofore referred to as “SaasCo”).

SaaSCo is a business associate for many HIPAA-covered entities and provides a cloud-based application used by large hospital groups and insurance companies. SaaSCo uses a managed service provider called ManageTech to manage the IT infrastructure that supports their SaaS cloud application. ManageTech has a current independent AT 601 HIPAA attestation report that reports on ManageTech’s compliance with the HIPAA Security and Breach Notification Rules. SaaSCo is periodically asked by their HIPAA-covered entity customers whether or not they are HIPAA compliant. SaaSCo knows they have some IT controls in place internally and assumes that their environment, in addition to their managed service provider, is HIPAA compliant without validation. SaaSCo also believes the electronic protected health information (ePHI) is housed within ManageTech, therefore their liability, if a breach occurs, is limited because they do not house the ePHI internally.

A data breach occurs at SaaSCo when a former employee retains remote access to ePHI following termination and uses the access to copy patient records containing ePHI to his home computer. The disgruntled employee later sells the copied information over the Internet.

Based on SaaSCo’s initial assessment that they were HIPAA compliant prior to the breach, the Office of Civil Rights (OCR) investigation should find that SaaSCo was HIPAA compliant, right? Wrong. Just because SaaSCo houses their IT equipment at ManageTech’s HIPAA compliant data center and believes they are HIPAA compliant does not mean that SaaSCo’s internal control environment is operating effectively in support of HIPAA compliance. In fact, by signing Business Associate Agreements (BAAs), SaaSCo has formally testified to the fact that they are HIPAA compliant to their user entities. Following the breach, the OCR investigation finds that SaaSCo did not have required HIPAA Security Rule controls in place which contributed to the breach of over 5,000 database records containing patient ePHI.

A recent Ponemon whitepaper estimated the true cost of a data breach at $200/record. Multiplied by the 5,000 database records compromised in the SaasCo breach example, the total cost of which SaasCo is liable for is $1 million. Unfortunately, SaaSCo’s investors have seen enough. They pull funding for SaaSCo which later must file for bankruptcy.

Although the example is dramatic, it’s not implausible. SaaS companies need to be confident that they are HIPAA compliant without making any assumptions. Also, relying on your managed service provider’s HIPAA attestation report is not enough without ensuring that your internal control environment is operating effectively as well. Never sign a BAA without consideration for what it means. Consider ensuring HIPAA compliance as an insurance policy to protect you in the event of a breach. No one wants a breach, but companies can help mitigate the risk of being found negligent by the OCR by performing self-assessments or hiring a third party to assess their HIPAA compliance.