Why You Should Reconsider Hosting HIPAA Data Overseas

Author: Veronica Miller
March 4, 2015
hexpattern-2
hexpattern-2

Disaster Recovery as a Service (DRaaS) ensures the continuity of your business during any disaster. However, choosing the right DRaaS provider for a secure business environment can be tricky, especially if you’re an organization covered by HIPAA and HITECH regulations.

If you’re considering international hosting and recovery, consider these questions first:

What If the Current Regulations Change?

Technically, you are able to select a hosting provider outside the United States. As of right now, the rules of HIPAA and HITECH fail to address the international aspect, leaving no requirements but also no protections. Many expect changes soon, since cloud hosting has become more common. If regulations are updated, will you have to move your data home? If so, how long would it take and what kind of exposure would you risk during this move? What would that cost your business?

Consider the recent drama around Safe Harbor. The EU decided it was no longer a valid mechanism to regulate safe transmission of EU Personal Data, and failed to immediately provide an alternative. This policy strike down left the entire world in a lurch. What happens if the same occurs for HIPAA?

Who Knows the Regulations Better?

An international provider might not understand the rules already in place. While there would be fewer vendors to choose from when selecting a domestic option, DRaaS providers based within the US will be more familiar with HIPAA regulations.

Also, what about other standards? Security laws of the hosting country might differ from those in the US. Make sure their encryption is up to par. If the standards of protection are different, your data may be vulnerable to a breach. Do they run employee background checks? Costs on paper don’t always match reality.

Will You Know Where the Data is Going?

Some DRaaS providers will send backups between datacenters or to other vendors. With global providers, your data could be traveling overseas on a regular basis. If you decide to terminate your relationship with an international provider, how will you locate and retrieve your data?

Healthcare companies require a certificate of destruction when terminating data. This ensures the data will not arrive into unwanted hands. Select a provider who understands the intricacies of this requirement and has a track record of being able to deliver.

Who is Liable?

HIPAA is not an international standard, therefore it isn’t governed by an international body. If you do business with an international hosting provider and a breach occurs, is that hosting provider legally obligated to comply with penalties and fines? If your international vendor can’t or won’t pay the fines, they still have to get paid. Make sure your contracts are air tight. When you select a domestic provider, the laws apply to both parties.

If there’s a breach and the international provider will not cover the costs, would your insurance cover it? Choose a provider that will sign a BAA (business associated agreement), which makes them liable to the protection of that data. (Not all domestic providers will sign a BAA.)

Can You Communicate with the Provider in Emergency?

With drastically different time zones, your daily operations might not align with an international provider. Will they respond to you and your clients’ needs during routine business operations, let alone during an emergency? This might mean less-than-proactive support.

Consider which option would encourage communication between parties. An international provider might not speak the same language or understand cultural nuances. What would be the impact of this in a time of crisis? Having clear communications ensures fewer missteps and delays, which leads to faster recovery.

Conclusion

When choosing a DRaaS solution to meet your HIPAA compliance needs, choose a provider that offers the most flexible solutions for your healthcare business, both in terms of technology and security. InterVision only has US datacenters, so you can rest assured data won’t leave the US. We sign BAAs and have a history of performing complex DRaaS for healthcare organizations covered by HIPAA HITECH regulations.

Want more tips on this topic?