Global healthcare, life sciences, and pharmaceutical companies can be subject to overlapping or conflicting laws across countries. For example, forced data disclosure laws in some countries might violate the privacy rules of another country or region, such as General Data Protection Regulation (GDPR), if the data crosses national or regional boundaries.
The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology from Economic and Clinical Health Act (HITECH) Act helps healthcare companies understand their responsibilities when it comes to data protection. Since so many laws, regulations, and rules pertaining to healthcare and life sciences data exist across the world, this section will not provide the details of each and every one. Nonetheless, key themes across most healthcare, life sciences, and pharmaceutical regulations are:
HIPAA was developed to protect sensitive United States (US) patient data with its Privacy and Security Rules. According to these rules, any company that gathers or uses Patient Health Information (PHI) must have a physical, network, and process security measures in place in order to ensure HIPAA compliance.
HITECH specifically covers the PHI data risks for HIPAA. PHI includes any and all data that is collected by healthcare professionals which identifies an individual and determines appropriate care – such as demographic information, insurance information, medical history, test and laboratory results. HIPAA applies to any providers operating in US, even if located out of the country.
HIPAA’s Security Rule is specifically aimed at protecting health information that is transferred in electronic format. According to the Health and Human Services (HHS) HIPAA website, the Security Rule requires that HIPAA-covered entities implement the following protections for ePHI:
Under HIPAA, “Covered Entities” include the healthcare providers, health plans, and healthcare clearinghouses. “Business Associates” are entities, vendors, or subcontractors that create, receive, maintain, access, or transmit PHI on behalf of a Covered Entity. Business Associates include Cloud Service Providers (CSP), such as Salesforce, Veeva, and OwnBackup.
According to HIPAA rules, data protection responsibility lies completely with the covered entity, not the Business Associate. Exact copies of electronic PHI must be backed up securely and business entities should be able to fully restore in the event of data loss. HIPAA requires backups to be frequent, encrypted, tested, and stored offsite.
As the responsible party, Covered Entities must ensure Business Associates sign their Business Associate Agreement (BAA). Without both parties signing this agreement, the Covered Entity could be fined for HIPAA non-compliance.
To maintain HIPAA compliance, Covered Entities must vet each third-party SaaS app, such as those on the Salesforce AppExchange, and custom software developers for Force.com apps separately before sharing or transmitting PHI. A separate BAA is recommended for each third-party app working with the Covered Entity.
Download OwnBackup’s Navigating SaaS Healthcare Data Protection and Regulatory Demands eBook to learn strategies that you can implement to better secure company SaaS data and stay in compliance with industry regulations.