Healthcare providers and health plans can gain many valuable benefits from migrating to the cloud, but with the strict regulations covering the use and disclosure of PHI, it is understandable for covered entities to be concerned about the level of data security in the cloud. Can cloud computing really be HIPAA compliant?
Data Security in the Cloud
The cloud can be a highly flexible storage solution for healthcare providers. Cloud platforms can be used simply for data storage or for the development of a host of services that can improve the patient experience as well as benefit healthcare providers alike. Data security in the cloud is a major concern, but CSPs are now offering healthcare providers a wide range of cloud services which promise all of the necessary safeguards to satisfy HIPAA rules and keep PHI protected.
Be Cautious About HIPAA Compliant Cloud Services
HIPAA compliant cloud computing is possible, but this largely depends on the actions of the covered entity. No product can be truly HIPAA compliant as compliance depends on how the cloud is used and the methods used to transfer data into and out of cloud storage. Measures can be adopted to improve data security in the cloud, but policies and procedures must be developed to cover how cloud services are used.
Any provider of HIPAA compliant cloud services that claims their product is HIPAA-compliant should be treated with caution. Such a claim should not be taken to mean that all responsibility for complying with the HIPAA Privacy and Security Rules will be taken care of by the CS. It is still possible to violate HIPAA Rules, even when a HIPAA compliant cloud service provider is employed as a Business Associate.
The service provider needs to be thoroughly assessed to ensure that they are fully aware of HIPAA regulations covering PHI and they should be happy to provide a guarantee that data will be stored – and moved – in accordance with HIPAA rules and regulations.
Key Elements of HIPAA Compliant Cloud Computing
When choosing a cloud service provider, a covered entity should assess the CSP on a number of key areas.
Data Encryption:
Data encryption may not be mandatory under HIPAA, but when data is in motion or stored remotely in the cloud, that data should be encrypted. Encryption applies to data in transit and at rest, includes backups of data. Your CSF must use data encryption technologies to ensure PHI will be secure.
PHI Access Control:
If PHI must be provided to a CSP, or if data is stored on CSPs servers, there should be robust controls in place to prevent data from being accessed or viewed by unauthorized individuals. Data access control is vital if CEs are to protect the integrity of their data. The accessing of PHI should also be restricted to the minimum necessary information for a task to be performed.
Where is your Patients’ PHI?
Covered entities must know exactly where their data is located at all times. In the case of cloud storage, the same is true. A covered entity must find out where a CSPs servers are physically located, which should be within the borders of the United States. It may be more cost-effective to use foreign servers, but any data stored outside of the U.S could be subjected to very different rules. These rules may offer substantially less protection than is demanded under HIPAA in the United States.
Maintaining Data Access at All Times
If PHI is to be stored in the cloud, access to that data must be maintained at all times, even in emergency situations. It cannot be possible for data to be irretrievably deleted – accidentally or intentionally. Backups must be made and a disaster recovery plan must be formulated – and be documented. This plan must also be tested.
Business Associate Agreements
Since a CSP is a Business Associate, a signed Business Associate Agreement must be obtained before any data is provided. Business Associates are covered under HIPAA and they can be held liable for data breaches and unauthorized disclosures of PHI. While fines can be issued directly to the BA, the covered entity may also be penalized for the actions of a Business Associate. It is therefore essential that the CSP is fully aware of its responsibilities under HIPAA, and these responsibilities should be detailed in the BAA.
