HIPAA-Ready vs. HIPAA Compliance: Understanding the Difference
What is HIPAA Compliance?
HIPAA compliance means that a covered entity (and their relevant business associates), is adhering to all of the safeguards outlined in the Health Insurance Portability and Accountability Act (HIPAA).
This could include:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
Maintaining HIPAA compliance isn’t enforced until there is evidence of a data breach, so it’s each entity’s responsibility to evaluate and audit their operations against HIPAA regulations to ensure compliance.
What Does Being ‘HIPAA-Ready’ Mean?
‘HIPAA-ready’ is a term that some public cloud hosting companies and other software providers use to describe their offerings. While it implies that their services meet the guidelines that have been put in place by HIPAA, they often only refer to physical safeguards, which make up a very small percentage of what is required in order to be considered fully HIPAA compliant.
While building on a HIPAA-ready platform can make it easier to achieve HIPAA compliance, this term is often misconstrued to mean that no additional work needs to be done in order to meet the requirements of HIPAA. Additionally, there is no evidence of HIPAA compliance required for businesses to make this claim, so it is important to do detailed and careful research.
Let MedStack Make Sure You’re Protected
It’s important to remember that there is a major difference between being ‘HIPAA-ready’ and actually maintaining HIPAA compliance.
Being HIPAA-ready isn’t a bad thing, but it’s vital to note that this state of readiness doesn’t guarantee HIPAA compliance.
This page will help you understand the key differences between these terms, as well as how MedStack supplements public cloud provider services to guarantee the integrity of all of your HIPAA protections.
What Do Public Cloud Providers Offer?
There are some beneficial services that cloud providers offer towards maintaining HIPAA compliance, but it’s only a small percentage of the full HIPAA requirements.
Physical safeguards for data centers are the largest contribution that cloud platforms make towards HIPAA requirements. These safeguards for data centers could include things, such as:
- Security guards
- Disaster recovery plans
These physical safeguards account for ~3% of total HIPAA compliance.
As a client, you will still need to:
- Build all technical safeguards, such as encryption, proper backups, managing SSL certificates, monitoring, intrusion detection, vulnerability scanning and more.
- Design, write and implement proper policies and procedures
- Audit yourself regularly to maintain compliance
- Answer all security questionnaires manually
When auditing to ensure compliance, cloud providers will likely suggest establishing auditing capabilities that allow security analysts to examine detailed activity logs and reports.
These detailed reports can be very extensive and time consuming to create due to the amount of data being filtered (i.e., who had access or IP access entry, etc.). Without additional support, your team will need to generate these reports manually.
Policies and Procedures
Cloud providers do not write policies and procedures for you.
This means that you and your team need to develop, draft, and implement these policies and procedures yourselves, as well as perform trial-and-error scenarios, where improperly developed plans could leave your business open to HIPAA violations.
Cloud providers do not assist with answering security questionnaires, also known as Vendor Security Assessments (VSAs).
When you’re trying to sell your software or product to the market, you’ll be asked to complete security questionnaires for potential enterprise clients, which could range from 5-500 questions per client.
Answering these security questionnaires can be an exhausting and lengthy process, which you and your team will need to manage in-house if you’re relying solely on HIPAA-ready cloud providers.
What Can MedStack Provide?
Beyond simply “HIPAA-ready”, MedStack helps our clients to maintain full HIPAA compliance.
MedStack leverages the physical safeguards that cloud providers offer, and then automatically provisions ~95% of the technical HIPAA compliance requirements on top of this.
This means, just by creating a server on MedStack, you’ll immediately have 95% of your technical safeguards in place. Without MedStack, you and your team would need to build, maintain, and manually provide evidence that these technical safeguards are being met.
MedStack’s platform allows you to automatically generate logs and detailed reports so you don’t have to manually build these items each time that you audit your business.
This can save you, your team, and your customers a huge amount of time during the auditing process, which allows you to more quickly and easily provide evidence of your HIPAA compliance.
It also makes performing regular audits much less frustrating and time consuming, and can make your product more appealing to new enterprise clients looking to onboard innovative solutions.
Policies and Procedures
When you use MedStack, policies and procedures are generated and available to you on Day 1.
Not only does this save your team time and effort putting these together manually, but MedStack’s policies and procedures are designed to reflect the true state of your environment, which is another valuable piece of evidence that HIPAA requires.
MedStack partners can upload security questionnaires directly via our MedStack platform. MedStack has the ability to answer ~95% of questions on our customers behalf, typically within a week.
This saves your team time and energy filling out these VSAs by hand, while also allowing you to easily manage multiple security questionnaires in tandem.
These submissions are a key component of long-term growth for covered entities within the healthcare industry.
Don’t Let Yourself Be Misled by ‘HIPAA-Ready’ Marketing
In addition to all of the safeguards that MedStack has in place, our procedures and policies are automatically updated in real-time to ensure continuous, long-term protection.
This way, you won’t inadvertently fall out of HIPAA compliance without realizing it, or have your policies go out of date.
We’re making it easier, faster, and more affordable for companies to design and launch digital healthcare solutions that automatically meet the stringent requirements of modern health enterprises.
Stop wasting time, energy, and resources on paperwork instead of your product.
MedStack can put your business on the fast track to growth and take your application from zero to healthcare hero.
To learn more, book a demo today!