With the enforcement of the HIPAA Omnibus final rule starting this week, health IT companies face liability for breaches of patients’ protected health information that they may never have faced before. It’s also making issues like Bring Your Own Device even mores stressful for CIOs as they figure out how to make any instances of PHI on these devices secure enough to withstand an audit if the devices get lost or stolen. Although the strategy is not without risks, providers and payers are turning to cloud-based solutions from data security companies to ensure HIPAA compliance.
Here are a few health IT companies taking this approach. Their data security measures are designed to help providers serving as covered entities and HIT companies who are business associates comply with HIPAA.
Point.io allows healthcare providers use mobile devices to access sensitive documents behind a firewall. It partners with cloud storage providers such as Dropbox and Amazon.
Developers can use Point.io’s application programming interface and mobile middleware to develop apps for their specific needs
Providers and health IT companies that want their employees to be able to access content securely can use the Point.io platform as a device app or portal to access content in the cloud. If they want to create a more customized application they can build on the platform and RESTful API — a way of viewing an application like a series of web pages to access content behind the firewall.
For an on-premise solution, Point.io also offers a way for companies to access its cloud-based Point.io platform into the “sub network” which it describes as the area between the local area network and the end users’ router or mobile device.
Ron Rock, the CEO and co-founder, explained how the service worked in a pilot with a long-term care business.
“We point you to the document and you can get a view of the document but the physical document stays behind the firewall,” said Rock. “It [provides access from] everything from admittance forms to lab reports, [images such as] MRIs and all the research documents that go back and forth.”
Point.io is part of the “mobile backend as a service” industry that’s estimated to grow from $91 million in 2012 to more than $7 billion in 2017.
ClearDATA helps healthcare facilities do security risk assessments. It also provides the documentation companies are required to produce if they’re audited, according to an emailed statement from spokesman Joe Waldygo. It also offers remediation services to correct any risks and signs business associate agreements. It provides HIPAA-compliant cloud computing services for customers that include independent physician practices and large hospital networks. It moves their servers, infrastructure, platforms and applications to one of its data centers in the U.S. and helps demonstrate an auditable chain of custody of electronic protected health information through the entire data lifecycle.
Independent software vendors such as practice management software provider e-MDs, dental, medial and vetrinary supplies company Henry Schein and health information exchange technology developer Medicity use its cloud hosting services. Among its other services are offsite backup and disaster recovery and vendor neutral archiving for medical images.
“For larger organizations and hospitals, we find many cannot go to the cloud fast enough. They have either run out resources or maximized their budgets for computing power, storage, heating and cooling and other IT resources, and moving their infrastructure to the cloud enables them to save significantly on capital expenditures and other resources. [They] also want to reduce their IT costs for support and maintenance by having those services managed by a HIPAA compliant Cloud Service Provider.”
TrueVault also has a backend as a service solution for protected health information. Its data storage system allows users to store and retrieve any amount of data at any time from anywhere on the Web. It also encrypts stored data with unique encryption keys.
It’s offering its service to providers and health IT companies with mobile devices that generate protected health information. For example, wearable tech companies are making it easier to allow consumer-generated health information to be transmitted to insurance companies and providers for analysis. That data could be considered PHI requiring HIPAA-security compliance.