Health information technology solutions that are remotely hosted or cloud based are becoming more common. In these scenarios, a health care provider is allowing its data – often times including protected health information (“PHI”) – to flow through or be stored in the vendor’s data center. If PHI is involved, the parties should determine whether a Business Associate Agreement (“BAA”) is necessary for HIPAA compliance. But knowing a vendor’s security standard – regardless of whether a BAA is in place – can provide the health care provider confidence that its data will be protected, with a lower risk of damaging breaches occurring.
The IT industry now includes a variety of security standards that are in use today. Some of the more common include:
- Service Organization Control(“SOC”)
- SOC 1 (SSAE 16) – This report replaces the previous SAS 70 and focuses on a service provider’s internal controls related to financial reporting.
- SOC 2 (AT Section 101) – This report focuses on a service provider’s IT infrastructure related to security, privacy, availability, processing integrity and confidentiality, and is certified by a public accountant based on AICPA (“American Institute of CPAs”) standards. This report is intended for customers of a service provider regarding the service provider’s data center.
- SOC 3 – This report covers the same subject matter as an SOC 2 report but is shorter, less detailed and geared towards a general audience. Hospitals contracting with a service provider will want to get an SOC 2 report rather than an SOC 3 report.
- Electronic Healthcare Network Accreditation Commission (“EHNAC”) is a nonprofit entity that independently certifies a variety of organizations that are engaged in the electronic transmission of health care data. EHNAC’s focus is on improving efficiency and data security in health care IT systems.
- ISO 27001 – This report is a certification from a national accreditation board (ANSI-ASQ National Accreditation Board) that focuses on overall IT systems management and security. This report can assist service providers in developing best practices, but it is not certified by a public accountant and is not focused on reporting to a service provider’s customers.
Health care providers should not only be familiar with a potential vendor’s data security standards but should also consider including appropriate language in the contract to address the potential risks and remedies.
If you have questions about IT security standards, please contact Joshua Reading at 317-977-1486 or jreading@hallrender.com or your regular Hall Render attorney.
