Is My SaaS Provider HIPAA Compliant?

Cloud Technology illustration concept

Organizations that handle healthcare data must choose their technology partners with particular care. Failing to comply with the Health Insurance Portability and Accountability Act (HIPAA) can leave data at risk and lead to stiff penalties.

As a result, potential clients often ask us, “Are Laserfiche and your Managed Cloud services HIPAA compliant?”

The short answer is: only when you use them correctly—but we can help make it easier for you to stay in compliance.

That’s because the US Department of Health and Human Services (HHS) does not have a program to certify that a software or Cloud Service Provider (CSP) is HIPAA or HITECH-compliant.

In a hosted solution like Managed Cloud, three parties have a role to play in HIPAA compliance: the CSP (in our case, Microsoft Azure Government), the cloud service administrator (MCCi), and the client (you).

Under HIPAA, both the CSP and the cloud service administrator are considered “Business Associates” of an organization that handles healthcare information. This means that they create, receive, maintain, or transmit protected health information (PHI).

As business associates, they must sign an agreement to:

  • Protect PHI through administrative, physical, and technical means
  • Document, address, and report security incidents
  • Comply with all other HIPAA requirements (like only accessing PHI to fulfill contractual obligations)

Your CSP and cloud services administrator can’t guarantee that you are completely in compliance. Even if you use the world’s most secure technology, the way your organization handles data within the solution might be risky. It’s up to you to use software and cloud solutions in a HIPAA-compliant way. The final burden is yours, not your business associates’.

So, how does MCCi help you stay compliant? Let’s look at the roles and responsibilities of each party to see how they work together to support data security.

Cloud Solution Provider (CSP)

Microsoft Azure Government Cloud is responsible for the security of the cloud infrastructure, or Infrastructure-as-a-Service (IaaS):

  • Physical hosts
  • Physical network
  • Physical datacenter

How can you feel confident that Azure properly secures their cloud infrastructure, since there is no recognized HIPPA-compliant certification? Because it meets other established frameworks and standards for CSPs that map to HIPAA and HITECH Act Requirements:

According to The National Institute of Standards and Technology (NIST), a FedRAMP assessment and authorization provide strong assurances that HIPAA Security Rule safeguard standards and specifications are addressed adequately (see NIST SP 800-66 Appendix D and NIST SP 800-53).

Azure Government holds a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) maps HIPAA and HITECH Act requirements to CCM control objectives covering fundamental security principles across CCM domains.

Azure Government maintains the CSA STAR Certification and CSA STAR Attestation based on the CCM.

The HHS’ HIPAA Security Rule Crosswalk to NIST Cyber Security Framework maps each administrative, physical, and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework (CSF) subcategory and provides relevant control mapping to other standards, including ISO/IEC 27001 and NIST SP 800-53.

Azure Government aligns with the NIST CSF and is certified under ISO/IEC 27001.

Cloud Service Administrator

MCCi is responsible for the Systems Management of IaaS resources:

  • Application configuration
  • Network controls
  • Operating system
  • Systems management

MCCi’s systems management processes and procedures are designed to meet many compliance standards, including HIPAA. Additionally, all personnel interacting with client systems (support, professional services, development) must complete HIPAA Awareness for Business Associates training every two years.

Client

You are responsible for Laserfiche administration and application.

  • Information and data
  • Accounts, identities, and access management (implementation and management of Laserfiche security rights)
  • Data access auditing
  • Identity and directory infrastructure
  • Retention
  • Recovery
  • Network security
  • Devices (mobile and PCs)

Laserfiche has robust security and audit trail capabilities that, when properly configured, support your HIPAA compliance. Ultimately, it is your legal responsibility to ensure you have the correct processes.

We know that compliance is tricky. But with MCCi, you don’t have to figure it out on your own. Our consultants can advise your Laserfiche administrators on the best methods for securing your system. Or, we can go a step further: our expert professional services team can configure the appropriate settings on your behalf. You can rest easy knowing that your sensitive data is protected.

Azure MCCi illustration

MCCi and our technology partners take data compliance and security seriously.

Learn more about how our Managed Cloud Solutions empower innovation and efficiency or contact us today to discuss your organization’s digital transformation needs!