Prior to cloud computing services being used by healthcare providers for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered bodies must ensure the services are kept in a secure manner.
Even in case where a cloud computing platform provider has being given HIPAA compliance certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used to store ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed.
A risk analysis is a vital element of HIPAA compliance for cloud computing services. After completing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks ifound must be managed and minimized to a reasonable and appropriate level.
It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered body fully comprehends the cloud computing environment and the service being offered by the platform supplier.
A HIPAA business associate is any individual or body who carries out functions on behalf of a covered entity, or offers services to a covered entity that involve access being given to protected health information (PHI).
The HIPAA definition of business associate was altered by the HIPAA Omnibus Rule to include any body that “creates, receives, maintains, or transmits” PHI. The latter two clearly apply to providers of cloud computing services.
Due to this, a covered group must obtain a signed business associate agreement (BAA) from the cloud platform provider. The BAA must be received by the cloud platform provider before any PHI is uploaded to the platform. A BAA must still be obtained even if the platform is only used to store encrypted ePHI, even if the key to access the encryption is not supplied to the platform provider. The only exception to this rule would be when the cloud platform is only used to store, process, maintain or transmit de-identified ePHI.
The BAA is a contractual agreement between a covered body and a service provider. The BAA must set down, strictly, the allowable uses and disclosures of PHI, state that appropriate safeguards must be implemented to prevent unauthorized use or disclosure of ePHI, and explain all parts of HIPAA Rules that apply to the platform provider. Details of the all the inclusions and considerations a HIPAA-compliant BAA can be viewed at the HHS on this link.
Cloud computing platform suppliers and cloud data storage companies that have access to PHI can be fined for failing to adhere to with HIPAA Rules, even if the service provider does not access any data uploaded to the platform. Not all cloud service suppliers will therefore be willing to sign a BAA.
Simply completing a BAA for a cloud computing platform will not ensure a covered body is adhering to HIPAA Rules. HIPAA Rules can still be breached, even with a BAA in place. This is because no cloud storage service can be truly HIPAA compliant by itself. HIPAA compliance will be governed by how the platform is used.
The Department of Health and Human Services’ Office for Civil Rights has already settled cases with HIPAA-covered groups that did not obtain business associate agreements before uploading PHI to cloud storage, as well as for risk analysis and risk management failures.
St. Elizabeth’s Medical Center in Brighton, Mass agreed to settle its case with OCR in 2015 for $218,400 for potential breaches of the HIPAA Security Rule after PHI was uploaded to a document sharing service, without first assessing the danger of using that service.
Phoenix Cardiac Surgery also agreed to settle a case with OCR for not obtaining a business associate agreement from a provider of an Internet-based calendar and email service prior to using the service in conjunction with PHI. That particular case was settled for $100,000.
A rising number of healthcare groups are taking advantage of the cloud and cloud services. In January 2017, HIMSS Analytics studied use of the cloud storage at 64 healthcare organizations of all sizes. The survey showed 65% of healthcare organizations are now employing the use of cloud or cloud services, including smaller hospitals (<50 beds).
The biggest area of growth is the use of software-as-a-service (SaaS), increasing from 20% in 2014 to 88% in 2016, followed closely by disaster recovery, up from 42% to 61%, and use of the cloud for hosting clinical applications, which went up from 52% to 63%.
A HIMSS/ClearData survey was also completed on 50 respondents from the largest healthcare groups in the United States (20% – 101-250 beds, 32% – 252-500 beds, 36% 500+ beds). 84% of those organizations are presently using cloud services, with 74% planning to move existing or new workloads to the cloud.
Out of the large healthcare groups that have already adopted cloud services, 85.7% did so for IT (including backups, desktop and server virtualization, hosting archived data), 81% for administrative functions (financial, operational, HR and back office applications and data), 57% for analytics and 40.5% for clinical applications and external data sharing.
For large groups, the most common uses of the cloud are for hosting analytics applications and data (48%), hosting financial applications and data (42%), for operational applications and data (42%) and HR applications and data (40%). 38% were using the cloud for disaster recovery and backup measures.
When asked to rate the top considerations when selecting a cloud service provider, top of the list was adherence to regulatory requirements such as HIPAA and HITECH, rated in the top three by 54% of organizations, followed by the willingness to meet BAA requirements (38%) and technical security (32%). In terms of safety and security, the biggest cloud vendors are thought to be the best choice as they can afford to hire the very best staff and can devote huge resources to ensuring their platforms are safe.
Microsoft Azure and Amazon AWS are the most popular platforms, and also the most highly rated as per the HIMSS Survey. Amazon has long been the leading cloud service supplier, although Microsoft seems to be catching up according to this comparison of Azure and AWS.
The main advantages to healthcare groups migrating to the cloud were: Performance and reliability, ease of management, total cost of ownership, and infrastructure agility.
While there are obvious advantages, use of the cloud is not without challenges. The biggest obstacles for healthcare groups were seen as cost/fees (47.6%), customer service (33.3%), migration of data and services (26.2%), and availability and uptime (23.8%).