How HIPAA Compliance works for SaaS companies is a very commonly asked and searched question in the world of HIPAA. The Health Insurance and Portability and Accountability Act of 1996 was passed way before the time when cloud service companies existed. Although updates have been made to HIPAA over the years, there haven’t been many mentions or direct references to how best comply with HIPAA for SaaS. Despite the lack of specific information, there are certain steps and guidelines that should be implemented to ensure that companies that are providing or hosting cloud services are fully compliant.
SaaS Providers as Business Associates
Under HIPAA, there are two types of entities that must comply with the requirements of HIPAA and remain compliant in their work. The first type is a covered entity (CE) which refers to any organization that directly provides treatment, payment or operations in healthcare. Although cloud service providers won’t fall into the covered entity category, they do provide their services to the CEs.
The second type of entities are called business associates which are defined by the HHS as entities that perform a function or provide a service that requires them to access, use, or share protected health information (PHI) with a covered entity. Most SaaS companies that operate within the healthcare industry would be considered HIPAA business associates because their solutions handle PHI. Since these facts make most SaaS companies HIPAA business associates, there are certain requirements that they must meet in order to comply with HIPAA and for covered entities to feel comfortable working with them.
Requirements to be HIPAA Compliant
Sign Business Associate Agreements (BAAs)
Since an organization that provides software-as-a-service or (SaaS) is considered a business associate under HIPAA therefore they must follow the BA requirements within the law. One of the main pieces that business associates must complete is the signing of Business Associate Agreements (BAAs). These are legal contracts that are signed between covered entities and their business associates, like SaaS companies, where both groups agree that they are liable for their own compliance with HIPAA. That way in the event of a data breach of information, the party that was responsible for the breach maintains all of the liability.
Without a BAA being signed, both parties are found at fault in the event of a breach regardless of who actually made the mistake. Covered entities should be careful to sign a BAA with each and every business associate that they work with so that they do not hold liability for a breach that they are not responsible for. Within the terms of the agreement, both parties should confirm how they will address and follow the Security Rule requirements.
Implement Security Rule Safeguards
The HIPAA Security Rule, which was the second major rule that was passed to HIPAA, lays out administrative, technical and physical safeguards that must be followed by covered entities and business associates to keep electronic protected health information secure. What that means for software-as-a-service companies is that the products and software that are developed involving the storage, use or disclosure of PHI must be properly protected.
These safeguards, which are further outlined here, look to prevent any unauthorized access to or disclosure of protected health information. For SaaS companies this would look like implementing the proper access controls, encryption capabilities and conducting regular risk assessments in order to protect the ePHI from any potential weaknesses in security.
As mentioned above, SaaS companies being considered business associates and then signing BAAs with the healthcare providers that they work with means that they are directly liable for any breaches of PHI that happen on their end. Enforcing the necessary administrative, technical and physical safeguards gives the company and their covered entities peace of mind that the PHI has been carefully protected.