For many small companies, compliance has become an expensive burden, forcing them to turn to hosted services. But the concept of shifting the compliance burden to a third party is not as easy as it seems.
This is particularly true when it involves HIPAA compliance. So many small companies, such as clinics and single practitioner offices, are forced to meet the same stringent requirements as much larger organizations.
There is a critical difference that separates the two. Larger organizations have IT departments, staff and budgets to meet these stringent requirements, and small companies do not. That makes smaller offices ideal candidates for hosted services and storage, but that still doesn’t eliminate the burden of compliance.
Ultimately, small company operators remain wholly responsible for their data and how that data meets compliance regulations. This means small business operators must vet their hosted services providers to make sure they are not the weak link in their compliance strategy.
Luckily, many businesses providing hosted services are becoming certified for compliance. Take Egnyte, a small hosted file server/hosted storage vendor offering HIPAA compliance services to its customers. To achieve compliance certification, Egnyte had to go through third-party auditing and deploy technologies that keeps data compliant.
For example, Egnyte has to encrypt data at rest and in motion. What’s more, the company had to implement a solid disaster recovery plan that protects against data loss, as well one for backing up data locally and at an alternate site. Comprehensive logging and user logon security is another area that Egnyte had to address to meet compliance needs. All of those elements together (and some not mentioned) is how Egnyte achieved compliance certification.
However, if a business with HIPAA requirements chooses Egnyte for file storage or other services, that business will not automatically become compliant. Why? Because consideration must be given to what happens to the data on-site, how that data is stored, who has access to it, who audits the data, and how it is protected. For instance, is the data encrypted? Can it be copied without being logged?
The moral of the story is that no matter what services are used, a business is ultimately responsible for its own compliance needs. Still, companies like Egnyte can reduce the burden of compliance by providing valuable services including backup, off-site storage, disaster recovery and a whole range of other services that protects data, while ensuring compliance.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.