Simplifying HIPAA compliance for healthcare providers

The global market for cloud-based healthcare technologies is expected to grow at an average rate of 17.6% to cross the $201 billion mark by 2032 — with the U.S. accounting for 51% of that total — according to a 2023 report by Market.us.

The rapid growth is not surprising, as cloud-based communications and patient record systems can be deployed with significantly lower cost and complexity, compared to their legacy counterparts.

In the U.S., healthcare companies looking to benefit from these cloud technologies must ensure that they’re staying compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA.) New networking technologies like SD-WAN can help.

To help explain more about HIPAA compliance and how Bigleaf can help, we reached out to one of our partners, James Bowers II. As the owner of Input/Output, James consults with companies to help them achieve and maintain their HIPAA compliance. His clients have seen a lot of success using Bigleaf’s SD-WAN to address HIPAA requirements.

Q: So, what exactly is HIPAA and why is it such a big issue for healthcare companies who want to use cloud technologies?

James: HIPAA was initially introduced to help consumers keep their insurance coverage, but it also includes another set of provisions called “administrative simplification” aimed at improving the efficiency and effectiveness of the healthcare system. The administrative simplification provisions cover:

• Electronic transmission of common administrative and financial transactions (such as billing and payments)
• Health data and identifiers for individuals, employers, health plans, and heath care providers
• Privacy and security standards to protect individually identifiable health information

These kinds of protections ensure that patients are protected and that healthcare data is kept private and secure.

That being said, HIPAA compliance is extensive, complex and, for a lot of companies in the healthcare field, required by law. A lack of proper HIPAA compliance can lead to extensive civil and criminal penalties. So these companies are understandably slow to adopt new technologies that might put their compliance at risk.

But competition is pushing companies to adopt faster, cheaper, cloud-based technologies for critical applications like patient record management. To stay HIPAA-compliant through their cloud journey, companies need to be able to show that they have contingencies in place to maintain a connection to cloud-based patient records in the event of an internet outage.

At Input/Output, we’re focused on helping companies make this cloud move as painlessly as possible while maintaining their HIPAA compliance. So SD-WAN felt like the perfect technology to provide our clients with an outage-proof Internet connection that allows them to benefit from the speed and cost-effectiveness of cloud-based technologies without putting their HIPAA compliance at risk.

Q: What kinds of companies need HIPAA compliance?

James: Any company that stores, transmits, or that may come in contact with electronic protected health information (ePHI) falls under HIPAA in some way. Apart from traditional healthcare providers like urgent care centers and assisted living centers, there are quite a few entities that are covered under HIPAA that you may never think of like:

• MSP providers
• Data backup providers
• IT providers
• Office cleaners (not fully HIPAA themselves, but proper confidentiality agreements are required to be in place)
• Copier companies (I have one from last week that may get a HIPAA audit because one of their clients is getting audited)
• ISPs

Most of my clients fall into the traditional healthcare provider role, but these others are also required to perform HIPAA risk assessments, and there is quite a bit that they have to provide to stay compliant. It warrants a further conversation with them as it depends on what precisely they are doing but in some cases, they have more requirements than the provider themselves.

It’s eye-opening for a lot of providers.

Q: How does internet connectivity fit into the HIPAA requirements?

James: Covered entities — entities that are required to follow HIPAA guidelines — are required to have a written plan in place that specifies how they will maintain access to ePHI in the event of an emergency. Access, or the lack thereof, to ePHI in a critical patient situation could mean the difference between life and death.

Less drastic, but still required, is that ePHI must be available to patients if requested. A lack of access to ePHI can impede a covered entity’s ability to provide care to their patients, which can have a tremendous impact on the entity’s bottom line and reputation. For these reasons alone, a contingency plan is an essential consideration.

Q: How does Bigleaf’s SD-WAN help your clients with HIPAA compliance?

James: The best contingency plan to an emergency internet outage situation (that could restrict access to ePHI) is to avoid the outage altogether, and Bigleaf’s 99.99% uptime guarantee can help a practice do just that.

By leveraging multiple internet connections along with Bigleaf’s intelligent SD-WAN platform, a covered entity can reduce their internet downtime to less than 53 minutes per year. Compare that to the hours and sometimes days of downtime companies experience with other internet solutions.

Q: What makes Bigleaf’s SD-WAN a particularly good fit for HIPAA compliance?

James: The key to Bigleaf’s SD-WAN, relative to HIPAA is in its simplicity. Simple solutions like Bigleaf can drastically reduce the HIPAA ePHI contingency planning required. Instead of heavily-documented manual procedures, Bigleaf provides an automated solution with built-in backups and failover protection. Add in some considerations for large-scale disasters, perhaps keep local copies of ePHI for upcoming procedures, and a covered entity has a robust, cost-effective, and compliant solution.

A simple contingency plan leveraging Bigleaf SD-WAN is also considerably easier to implement. The Bigleaf router installs transparently without any changes needed to existing firewalls. So deployment can be done quickly and reliably. Once installed, their intelligent platform automatically detects, prioritizes and routes traffic over the right connection without the need for complicated policies and rules. This ensures that a covered entity not only maintains access to their ePHI, but also provides the best care to their patients and reduces mistakes, which keeps a covered entity protected.

Complex solutions, plans, and processes introduce mistakes or are ignored entirely. At Input/Output, we provide solutions that seamlessly integrate with a company and their business model. To support this seamless integration, we rely on simple, secure and reliable solutions like Bigleaf SD-WAN. Once installed, a covered entity can focus on their business and patients, not their technology or compliance requirements. That’s the way it should be.

Q: Any final thoughts for a company that may be struggling with HIPAA’s contingency requirements?

HIPAA can seem intimidating and impossible to manage, but it doesn’t have to be. The key is to understand all your options and choose technologies and solutions that eliminate complexity wherever possible.

—
A big thanks to James for sharing his expertise and insight. If you have any questions for James or would like to learn if Input/Output could help with your own HIPAA compliance challenges, reach out to them today at (561) 408-0007 or visit their website at www.inputoutput.tech.

If you’d like to share your own partner perspective in a future Bigleaf spotlight, email us any time at stories@bigleaf.net. We’d love to share your story!