HIPAA Compliance Checklist for SaaS and Cloud Applications

Since Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996, healthcare organizations have been required to ensure the privacy and security of all medical records.

However, the world has changed greatly since HIPAA’s inception, namely through the digital transformation. To keep operations more organized and agile, the healthcare industry has traded paper for electronic processes.

Despite better mobile usability and productivity, unmonitored tech and increased reliance on cloud systems also carry inherent cybersecurity risks. Consequently, HIPAA’s Security Rule now outlines standards that protect certain health information that is held or transferred in electronic form.

To ensure HIPAA compliance, healthcare organizations must be vigilant and proactive with their software usage. Failing to properly comply could not only result in millions of dollars in audit settlements but detrimental security breaches as well.

HIPAA Compliance Checklist for SaaS

To proactively ensure HIPAA compliance, cloud-forward healthcare organizations should:

1. Discover All Applications that Contain ePHI.

Today individual business units around the company are buying software without the involvement of IT. In fact, our data shows that employees and lines of business are responsible for 83% of applications and 72% of spending. Without awareness of all the apps in use around the enterprise, IT is at a deep disadvantage when it comes to maintaining security and compliance.

In the healthcare industry especially, this Shadow IT has even further-reaching implications, as unknown SaaS applications are more likely to contain electronic protected health information (ePHI).

Discovering all SaaS applications across the company is imperative to locating and properly managing ePHI. Professional SaaS Management platforms provide full visibility into your enterprise-wide software stack to help secure the business and remain HIPAA compliant.

2. Review All SaaS Contracts of Apps Containing ePHI.

While HIPAA does allow healthcare organizations to engage with cloud services to store ePHI, not all SaaS applications are equipped to comply with HIPAA standards.

After discovering all apps in use, review the contracts for each engagement to ensure a HIPAA-compliant business associate contract or agreement (BAA) has been signed. The BAA sets the permitted uses and disclosures of the ePHI and ensures the safeguarding of all information by implementing the requirements of the Security Rule.

In addition, contracts should include language about breach notification obligations of the business associate, including a timeframe for reporting a potential breach and how emergencies should be handled. A vendor management system, such as Zylo, enables easy access to contract data and decision-making to ensure HIPAA compliance.

3. Set Compliance Standards for Cloud-Based Apps.

HIPAA states that ePHI (whether at rest or in transit) must be encrypted to NIST standards once it travels beyond an organization’s internal firewalled servers—which includes everything in the cloud. Yet, while encryption significantly reduces the risk of ePHI being viewed by unauthorized entities, encryption cannot adequately protect the confidentiality of ePHI as outlined by the Security Rule.

Setting standards like SSAE-16, SAS70 Type II, PCI DSS Compliance, or SOC 2 Compliance for all cloud-based apps ensures greater compliance and objectivity when it comes to data center audits. While these compliance standards are not interchangeable with HIPAA compliance, they do help ensure maximum security/privacy and create better audit efficiencies when outlining your compliance goals.

4. Conduct Ongoing Auditing and Reporting.

HIPAA does not require that cloud service providers (CSPs) furnish documentation of their security practices.

However, audit controls are required under HIPAA’s technical safeguards in order to monitor attempted access to ePHI and record how the data is used. Many covered entities fail to conduct regular audits, allowing inappropriate access to occur under the radar and HHS to issue fines even if no breach of ePHI has occurred.

Administrative safeguards of the Security Rule require covered entities to perform risk analysis in accordance with NIST guidelines. A strong risk analysis process examines the likelihood and impact of ePHI breaches, implements corrective security measures, documents the rationale, and maintains cybersecurity protections as part of an ongoing risk analysis process.

5. Determine Protocol for Breach Notifications.

In the event of a breach that compromises ePHI, healthcare entities must notify HHS, the media (for breaches affecting more than 500 patients), or the Office of Civil Rights (for smaller breaches) within 60 days, detailing:

• The nature of the breached ePHI
• The unauthorized entity who used the ePHI
• Whether the ePHI was acquired or viewed
• The extent to which the risk/damage was mitigated

Outlining a protocol of procedures to follow in the event of a data breach ahead of time will not only keep your company HIPAA compliant but more prepared and responsible in the eyes of the public.

Stay Proactively Compliant

The best measure to gaining HIPAA compliance is proactivity—identifying all of your SaaS and setting strategies and protocols ahead of time in case of a breach. Consider:

• Have you discovered all of your cloud-based applications and vendor?
• For each vendor, do you have BAAs in place?
• Have you assessed HIPAA compliance of your SaaS vendors?
• Are you regularly tracking and reviewing your contracts annually?

With full visibility into your SaaS stack and readily accessible information about your CSPs, professional SaaS Management platforms make the HIPAA compliance process easier. Zylo’s fine-tuned abilities to discover all of your SaaS applications, SOC-2 compliance, contract review, and ongoing SaaS management capabilities, allow healthcare organizations to remain proactive in their protection of ePHI and diligent in their HIPAA compliance.