Global healthcare, life sciences, and pharmaceutical companies can be subject to overlapping or conflicting laws across countries. For example, forced data disclosure laws in some countries might violate the privacy rules of another country or region, such as General Data Protection Regulation (GDPR), if the data crosses national or regional boundaries.
The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology from Economic and Clinical Health Act (HITECH) Act helps healthcare companies understand their responsibilities when it comes to data protection. Since so many laws, regulations, and rules pertaining to healthcare and life sciences data exist across the world, this section will not provide the details of each and every one. Nonetheless, key themes across most healthcare, life sciences, and pharmaceutical regulations are:
- The company that controls the data, not the cloud provider processing it, is ultimately responsible for data security.
- Adequate measures, in most cases encryption and backup data, must be taken to prevent unlawful disclosure of private data.
- If a breach or data loss occurs, it must be reported to the regulating entity.
Guarding Sensitive Patient Data Under HIPAA and HITECH
HIPAA was developed to protect sensitive United States (US) patient data with its Privacy and Security Rules. According to these rules, any company that gathers or uses Patient Health Information (PHI) must have a physical, network, and process security measures in place in order to ensure HIPAA compliance.
HITECH specifically covers the PHI data risks for HIPAA. PHI includes any and all data that is collected by healthcare professionals which identifies an individual and determines appropriate care – such as demographic information, insurance information, medical history, test and laboratory results. HIPAA applies to any providers operating in US, even if located out of the country.
HIPAA’s Security Rule is specifically aimed at protecting health information that is transferred in electronic format. According to the Health and Human Services (HHS) HIPAA website, the Security Rule requires that HIPAA-covered entities implement the following protections for ePHI:
- Ensure the confidentiality, integrity, and availability of all PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
HIPAA Responsibilities for Covered Entities Versus Business Associates
Under HIPAA, “Covered Entities” include the healthcare providers, health plans, and healthcare clearinghouses. “Business Associates” are entities, vendors, or subcontractors that create, receive, maintain, access, or transmit PHI on behalf of a Covered Entity. Business Associates include Cloud Service Providers (CSP), such as Salesforce, Veeva, and OwnBackup.
SaaS Data Protection Requirements Under HIPAA
According to HIPAA rules, data protection responsibility lies completely with the covered entity, not the Business Associate. Exact copies of electronic PHI must be backed up securely and business entities should be able to fully restore in the event of data loss. HIPAA requires backups to be frequent, encrypted, tested, and stored offsite.
Business Associate Agreements Must Be Signed
As the responsible party, Covered Entities must ensure Business Associates sign their Business Associate Agreement (BAA). Without both parties signing this agreement, the Covered Entity could be fined for HIPAA non-compliance.
To maintain HIPAA compliance, Covered Entities must vet each third-party SaaS app, such as those on the Salesforce AppExchange, and custom software developers for Force.com apps separately before sharing or transmitting PHI. A separate BAA is recommended for each third-party app working with the Covered Entity.