Cloud Service Providers and HIPAA Compliance
If you are considering migrating data to the cloud, you need to understand the safeguards implemented by cloud service providers and HIPAA compliance.
You may have identified a number of potential providers of cloud services that claim to abide by HIPAA rules, but how certain can you be that the data you provide them with will be safe? This article explains the relationship between cloud service providers and HIPAA compliance.
Benefits of the Cloud for Healthcare Providers
The cloud offers a number of advantages to healthcare providers and other Covered Entities (CEs). While access to data stored in the cloud will be limited by the technology used to access it, the speed of data access is usually fast. Many physicians have to struggle with slow internal computer systems that take an age to download data. It some cases, in an effort to speed up the process that data can be accessed, PHI is downloaded locally to a laptop computer. This may be a violation of company policy, and carries a high risk of causing a data breach and HIPAA violation, but it is viewed as the only way to log and access information quickly to give the physicians more time with patients.
Faster access improves efficiency and negates the need for medical professionals to resort to using shortcuts in order to allow them to access the information they need to treat their patients.
The sheer volume of data that must now be stored requires a significant investment in hardware, and that computer hardware takes up valuable floor space: Floor space that could be put to much better use such as revenue-generating purposes. Computers and servers require cooling systems, and the hardware and space that must be devoted to IT is considerable. By moving to the cloud and having data remotely managed, CEs can reduce IT staffing costs, make better use of space and they have to invest less in computer hardware – and the physical and technical safeguards required to protect PHI.
Cloud Service Providers and HIPAA Compliance
Regardless of whether a cloud service provider claims to be HIPAA-compliant, the CE must understand the controls that have been put in place to secure PHI and be sure that they are appropriate and provide an adequate level of protection. The CE should also see evidence of a risk assessment and be sure that all security vulnerabilities have been identified and any risks have been managed.
Business Associate Agreements Must be in Place Prior to PHI Access Being Granted
A Business Associate Agreement (BAA) should be either provided by the BA or the CE, and it must be signed and a copy held by both parties. According to the HHS, the BAA must detail “the permitted and required uses of protected health information by the business associate,” cover the use and disclosure of PHI and confirm that the appropriate administrative, physical and technical safeguards have been implemented to protect PHI.
BAAs must also cover Breach Notification Rules, and the requirements of each party in the event of a security breach, including notice periods and actions required. According to the HHS, it is important that “Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement.” In the event of the termination of a contract, or in the case of a dispute, the BAA should state what must be done with PHI, whether it must be destroyed, rendered permanently unreadable, or returned to the covered entity. The BAA must also cover reporting requirements to the Department of Health and Human Services’ Office for Civil Rights (OCR).
HIPAA Compliance Checklist:
In order for cloud services to be HIPAA-compliant:
- The service must be subjected to a full risk analysis
- Any security risks identified must have been effectively managed
- Two tier security systems should be employed
- Appropriate technical safeguards must have been implemented to control access to servers
- Servers need to be protected with the appropriate physical security and administrative controls put in place
- The servers should be located within the United States
- Data must be encrypted in storage and transit, including data backups
- Controls must exist to prevent unauthorized individuals from accessing PHI
- Access to PHI must monitored, logged and that data audited
- Any PHI provided must be limited to “the minimum necessary” for the job to be performed
- All staff (required to come into contact with PHI) must be trained on HIPAA Rules and how they apply in the workplace
- A signed Business Associate Agreement must be obtained