This article first appeared on HISTalk on December 18, 2013. Click here to see the original version.
This holiday period will see a rerun of many classic holiday movies, with one of my particular favorites being Miracle on 34th Street. A delightful film about the importance of retaining faith, even in the absence of any evidence – in this case, whether Santa Clause is real. As C.F. Cole puts it in the 1994 remake of the movie, “We invite you to ask yourself this one simple question: do you believe in Santa Claus?” following which all across the city people start putting up signs proclaiming, “We believe.”
As I walked around the exhibition floor of the 2013 mHealth Summit last week, I felt I was being asked to take a similar leap of faith. Specifically, that every company there was HIPAA compliant simply because they said so. For most, it would be part of their sales pitch. The term “HIPAA compliant” would be sprinkled liberally throughout the description of their service. For some, it was actually emblazoned on their wall posters. “HIPAA Compliant Data Hosting” and “HIPAA Compliant Mobile Development” are two I specifically recall.
When I challenged them on what they were actually doing to be HIPAA compliant, the answer was too often limited to, “We store our data in an encrypted database,” or, “We use a HIPAA-compliant data center.” Therein lies a key challenge within the SMB health tech marketplace. Too many companies simply do not know what it means to be HIPAA compliant. That is a particular concern given that recent changes in the law mean they are now federally required to be so.
Why is simply storing data in an encrypted database an insufficient response?
The objective of HIPAA is to protect the “confidentiality, integrity, and security” of electronic Protected Health Information (ePHI). While encrypting data can certainly be a part of this, it does not cover the many other aspects also required, including determining who has access to the data; how and where the data is being shared; who can edit or delete the data; and so on.
The HIPAA security rule alone contains 42 standards and implementation specifications spread across three groups – administrative, physical, and technical. This is separate from the HIPAA Privacy and Breach Notification Rules, both of which are part of the overall HIPAA compliance requirements.
Even if you scratch a little deeper into the companies that claim to offer HIPAA-compliant hosting services, you should pay particular attention to the wording they use. While they may be willing to sign a Business Associate Agreement, they deliberately stop short of promising to provide a HIPAA-compliant solution. This is because they do not control access to the application — the solution provider does.
The next time a company tells you they are HIPAA compliant because they store their data in a HIPAA-compliant database or data center, you are certainly welcome to take a leap of faith. In the movie, after Judge Henry Harper is presented with evidence that the US Postal Service is delivering letters addressed to Santa Clause, he declares that, “…since the United States Government declares this man to be Santa Claus, this court will not dispute it.” However, I doubt that the enforcement arm of the Office for Civil Rights will be as liberal in its judgments.