HIPAAdvisor: Q & A with Steve Fox

*** Partnering with an ASP ***

QUESTION: Our hospital is in the process of evaluating different ASPs to manage our patient record database. How does HIPAA apply to such an arrangement? Can you offer any guidance on how best to manage an ASP relationship?

ANSWER: Application service providers (called ASPs), essentially rent hardware server space for software applications to end-users. In an ASP model of delivery, software applications are delivered as services, rather than products, as in traditional licensing models. Accordingly, ASPs run and maintain software applications on behalf of the end-user, who then accesses them over the Internet or through a virtual private network.

Both the proposed Security Regulations (the "Security Regulations") and the Privacy Rule are applicable to the ASP partnership you describe.

Because patient records are being maintained and transmitted between the ASP and your hospital (a covered entity), the administrative procedures and other mandated protections set forth in the proposed Security Regulations and Privacy Rule to guard the integrity, confidentiality and availability of protected health information must be adhered to and followed. For example, the ASP is both a business associate, subject to the requirements of the Privacy Regulation, and a business partner, as defined in the Security Regulation. Therefore, HIPAA requires your hospital to contractually obligate the ASP it partners with to utilize security mechanisms and privacy procedures that include but are not limited to, the following:

1. security mechanisms that ensure all transmissions of data are authorized and employ the standards necessary to protect the integrity and confidentiality of the data that is transmitted;
2. privacy procedures that require any unauthorized use or disclosure of protected health information to be reported to the covered entity
3. security mechanisms that protect records and other data from improper access; and
4. privacy policies that bind the ASPs' agents and subcontractors to the same restrictions on the use and disclosure of protected health information as those imposed upon the ASP.

Moreover, it is imperative that ASP agreements include specific procedures for the storage and transfer of data in the event that the contract is terminated, the ASP goes out of business and/or is acquired by or merged into, an organization that is unsatisfactory to the covered entity. This is especially important because the ASP industry is still in its infancy. As with any new segment of the marketplace, consolidation is inevitable. Before embarking upon a partnership with an ASP, covered entities should conduct enough due diligence to give them comfort that the ASP is stable enough to entrust with patient data for safekeeping. Partnering with an ASP that is unwilling or unable to agree to certain procedures designed to protect the covered entities' data upon dissolution, change of control of the ASP, or termination of any end-user relationship is ill advised.

Further, it is also important to remember that the primary function of an ASP is to provide a service, not to sell a product. Oftentimes, the software vendor of a particular application and the ASP providing the service for that application are not the same entity. Make certain that any potential ASP employs personnel with the skills and experience necessary to maintain the software application in a timely, professional and efficient manner. Maintaining the quality of patient care may well depend on it.

Read past HIPAA Legal Q/A articles.

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.