SaaS & HIPAA Compliance
HIPAA compliance for SaaS is one of the a range of HIPAA-related topics full of if, buts and maybes. In this case, the reason for there being so many possible answers to questions about cloud services is due to the fact that the original Health Insurance Portability and Accountability of 1996 Act was enacted long before cloud services were commercially available.
The subsequent HITECH Act of 2009 and the Final Omnibus Rule of 2013 make a small number of references to any technical specifications, leaving many developers, service providers and hosting companies in the dark about HIPAA compliance for SaaS. However, there are some guidelines and best practices businesses developing, providing or hosting cloud services should put in place.
HIPAA Compliance for SaaS
In relation to software developers and service providers, HIPAA compliance for SaaS means complying with the administrative, technical and physical safeguards of the HIPAA Security Rule – provided the products you develop or the services you provide include the creation, use or transmission of Protected Health Information (personally identifiable data about an individual). For instance:
- If you are software developer, and you create an application that gathers personally identifiable data about an individual that may later be sent to a medical professional, you are subject to HIPAA compliance for SaaS developers.
- If you are a service provider whose clients create, use or share Protected Health Information through your services, you are subject to HIPAA compliance for SaaS providers and may have to execute a Business Associate Agreement with selected account holders.
In relation to SaaS hosting companies, there is no specific provision in the HIPAA Security Rule that disallows the architecture of a cloud server, VPS server or SaaS application – even though by nature these are “shared” architectures. However, most HIPAA-covered Covered Entities and Business Associates will want to be aware that you offer an HIPAA-eligible option.
Required Safeguards vs Addressable Safeguards
In all instances, if a safeguard is “required”, it is compulsory. The safeguard must be adapted and there are no exceptions. “Addressable” safeguards have been interpreted by some as a safeguard “we must get around to addressing sometime in the future”. This is not so – especially in relation to HIPAA compliance for SaaS providers and hosting firms.
An addressable safeguard is one that must be adapted unless a suitable alternative is implemented in its place, or it is determined the addressable safeguard is unnecessary. The reason(s) why an alternative or no safeguard is put in place must be chronicled after conducting a risk assessment and developing a risk mitigation strategy – both of which must also be recorded.