Are Your SaaS Apps HIPAA Compliant?

Current Trends in SaaS Adoption

It is no secret that the SaaS movement is taking the world by force.  In its report “2020 State of SaaSOps: The Impact and Implications of the SaaS Revolution”, SaaSOps expert BetterCloud states that “by 2025, 85% of business apps will be SaaS-based.”  If this statistic proves to be true, Enterprise IT organizations will have to evolve rapidly to manage the shift to a tech stack that runs almost completely on SaaS applications.  When paired with the trend toward a remote workforce following the COVID-19 pandemic, these trends can only be expected to accelerate timelines for SaaS adoption.  

Hybrid Cloud Solutions: Never a Better Time

Given current trends in SaaS adoption, it would not be surprising if modern enterprises truly adopt SaaS solutions for 85% of their technology initiatives.  However, these stats beg the question – is following this trend the wisest decision for my business, or should I consider a more conservative position between agility and security to remain compliant with HIPAA and other similar regulations?   If you are not familiar with HIPAA, this acronym stands for Health Insurance Portability and Accountability Act, a United States Act of Congress enacted in 1996. According to the CDC, HIPAA is “a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”  In short, this is a set of standards created to protect your health data. 

The Agility vs. Security Conundrum

Fifty years ago, when the majority of information related to clients, billing, products, inventory, etc. was kept in physical ledgers, this data could easily be kept under lock and key. Sure, there were no digital backups, but we found ways (modern, at the time) to protect valuable information. Is anyone’s mind drifting back to triplicate paper where a signature on the first page would magically copy to all subsequent layers?  Thankfully, this is a thing of the past!  Now that we are in the era of cloud computing and remote work, businesses have placed a premium on software, storage, and computer solutions that aim to do three things: 

1. Implement rapidly
2. Access and Use Intuitively
3. Seamlessly integrate with existing tech

    

The problem here is that privacy law, the relatively new kid on the block, is moving in with a vengeance. Consumers are flustered with spam calls, emails, and targeted marketing and want a way to maintain a sense of privacy.  In order to abide by the plethora of new laws, modern businesses must keep a close eye on these new policies and ensure that their digital strategy can foundationally cope with an extremely fluid regulatory landscape. Additionally, the penalties for violations are costly:

• For HIPAA: up to $25,000 per violation category
• For other data privacy laws: multiple percentage points of an organization’s worldwide annual revenue

State of Consumer Privacy Law in the U.S.

Those doing business in highly-regulated industries such as finance & banking, healthcare & life sciences, insurance, etc. are already keenly aware of the SaaS transition, as well as the need to ensure that sensitive data remains secure and compliant.  Executives in Technology and Information Security are constantly under pressure to deliver more data, onboard employees faster, and secure data more efficiently, all while abiding by an ever-increasing list of Governance, Risk, and Compliance requirements. In fact, as of September 14, 2022, five states (CA, CT, CO, VA, and UT) have either enacted or are slated to release their own comprehensive consumer data privacy laws. While the desire for SaaS agility and enterprise security are not diametrically opposed, these two forces have created a friction point that Global 500 executives can not afford to ignore!

Questions You Can Ask to Drive Productive Dialogue Around SaaS & Compliance

You may be ahead of the curve, on target, or behind the pack when it comes to preparing your organization for the next revolution in data security.  The following questions are what SaaS-first organizations must think about as it pertains to managing sensitive data elements, specifically related to HIPAA:

• If SaaS vendors back up or store our organization’s data, how will we know if any of our organization’s data is affected by a breach at the cloud provider’s site or data center?
• What if a cloud provider experiences a breach and either a.) does not notify us, or b.) does not realize that the breach occurred?
• How can we validate/verify that the appropriate safeguards have been implemented for our data in the cloud providers’ data center if we can not access the raw data on demand?
• How do we ensure that the cloud storage provider is managing security audits and remediations with excellence on our data?
• Does our BAA (Business Associate Agreement) actually ensure that the cloud provider is HIPAA compliant, or does it simply provide the appearance of being compliant?
• If we need to integrate various patient and provider-facing systems, how do we grant or restrict access to ePHI data based on who is requesting the data?
• What is our contractual obligation to stay compliant as privacy laws change, and how quickly must we demonstrate compliance or remediation?

Cloud providers such as Amazon, Microsoft, and Google offer solutions that can be leveraged to provide the scalability of cloud computing and storage while still preserving data autonomy within the bounds of the customer’s security requirements, infrastructure, and/or firewalls.  Now that cloud computing resources are so widely available, maintaining control over data access and security does not have to be an “either/or” debate…it can be a “both/and” discussion!

“Now that cloud computing resources are so widely available, maintaining control over data access and security does not have to be an “either/or” debate…it can be a “both/and” discussion!”

Maintaining Compliance with Salesforce Data

CapStorm is an organization operating within the Salesforce ecosystem amongst a broad landscape of SaaS products and cloud providers.  CapStorm takes an “against the grain” approach with its self-hosted platform (hosted by the customer, behind the customers’ firewalls), empowering its customers with corporate compliance posturing that SaaS organizations simply can not provide without a risky Business Associate Agreement (BAA).

If you are interested in learning more about how CapStorm can provide you with autonomous control over Salesforce data security and compliance while simultaneously enabling cloud agility, talk with one of our experts! We look forward to helping you on your journey to Data Autonomy!