HIPAA Compliance for SaaS

HIPAA compliance and Saas (Software as a Service) is another area that is causing confusion for many in the healthcare space. This is somewhat understandable as HIPAA was originally introduced in 1996, when the idea of SaaS and cloud storage platforms was far from the common consciousness.

More recent Acts and Rules, such as 2009’s HITECH Act and 2013’s Final Omnibus Rule, make provisions for electronic platforms and services – but only in broad strokes. Technical details and other aspects are not defined, resulting in SaaS developers and companies making efforts to be HIPAA compliant without full knowledge of what being compliant means in this area. That being said, current thinking revolves around best practices and industry guidelines. Developers, providers, and hosting companies would do well to note these when designing their services.

What is HIPAA Compliance for SaaS?

To be in compliance with HIPAA, SaaS platforms and tools that deal with protected health information (PHI) must meet the administrative, physical, and technical standards laid out in the HIPAA Security Rule. Services covered by this Rule may include applications that collect personally identifiable information and tools that are used to create, process, or share PHI. Service providers may even need to enter into a Business Associate Agreement (BAA) with HIPAA covered entities in some cases.

The HIPAA Security Rule does not outline exact measures that need to be taken for cloud storage, VPS, or other data hosting SaaS packages to be compliant. While they may be considered “shared” architectures, nothing in the Rules prohibits their use. The most important thing for HIPAA covered entities and their business associates is that there are options to make the service eligible for use under HIPAA.

Key Compliance Areas For SaaS Providers and Hosting Companies

Most e-health applications are only for personal use only and do not need to be HIPAA compliant. SaaS developers and hosting companies whose clients use their services in a professional capacity in the healthcare industry will need to ensure that their tools meet the administrative, physical, and technical standards set by the HIPAA Security Rule.

The purpose of the administrative, physical, and technical standards is to stop unauthorized disclosures of PHI. They apply both when the data is at rest and in transit. SaaS developers and providers need to offer settings that allow access controls, user identification measures, and data encryption to be implemented. Access to physical storage locations should also be controlled.

Required Vs. Addressable Safeguards

HIPAA Rules mention a number of protections; some are listed as required, others as addressable. Required safeguards are mandatory and must be put in place as specified, without exception. Addressable protections are those which must be examined to evaluate whether they are relevant to the case at hand, and if so, there is some leeway as to how they can be implemented. The most important factors are that the desired level of protection is reached and the decision for using the method selected, or for not implementing any protection at all, is documented and available for examination.

The scope of required and addressable measures are slightly different between SaaS providers and HIPAA covered entities. One such difference is with the addressable safeguard of encryption. Healthcare providers may be allowed to forgo encryption or use a different data security method if their use and management of PHI were strictly confined to their private and secure network. As SaaS providers and hosting companies are external to the healthcare organization, a single internal network could not exist and they would be required to implement encryption, even though encryption is thought of as addressable.