Beware of HIPAA Compliant Cloud Service Providers
Healthcare providers and other HIPAA covered entities (CEs) can gain considerable benefits from migrating healthcare data to the cloud. A number of cloud service vendors have seized the opportunity to expand into healthcare cloud data management and a number of HIPAA compliant cloud service products are now being offered to holders of Protected Health Information (PHI).
Beware of Claims that Products are HIPAA-Compliant
Some vendors already had a product to offer to the healthcare industry, but it just required some finessing and additional controls and safeguards to ensure compliance. Policies and procedures were then developed by the Business Associate (BA) in full compliance with HIPPA, as mandated by the Omnibus Rule. However, while this makes these BAs HIPAA compliant cloud service providers, it is not correct for their products and services to be called “HIPAA-compliant”.
HIPAA-compliance is not a term that can be applied to a product as it covers not only the service – or software – provided, but the actions taken by the provider of cloud services as well as those of the healthcare provider that signs up for could services. A HIPAA-covered entity can easily sign up for secure and compliant cloud services, yet still violate HIPAA regulations.
PHI may be securely stored in the cloud, access to the servers on which that data is stored is restricted and physical controls exist to protect those servers. Business Associate Agreements are in place and all data is encrypted.
However, that data must be accessed by healthcare professionals who use devices such as Smartphones, laptops, desktop computers and servers. Any one of those devices is a potential point of weakness. Regardless of the policies, procedures and safeguards implemented by the cloud service provider, HIPAA violations can easily occur at any of those access points.
The Move Towards a Fully HIPAA-Compliant Cloud
Healthcare providers have only recently adopted Electronic Health Records; many have not yet made the jump and migrated their healthcare data to the cloud. Some cloud service providers have started to offer services to the healthcare industry, but take up is far from universal. There are still many regulatory hurdles to overcome and considerable confusion about how the Health Insurance Portability and Accountability Act of 1996 applies to products that were not available at the time that it was written, and are still not mentioned specifically even in recent legislative updates.
There has also been a lack of guidance issued to providers of cloud services, although this problem is now being addressed by the Health Care Cloud Coalition (HC3). The organization is seeking solutions to assist the healthcare industry adopt cloud services and take advantage of the benefits they offer. It also wants to provide support to providers to assist them with the development of HIPAA-compliant cloud services and products.
On June 19, this year HC3 will be meeting to discuss and clarify how HIPAA applies to the cloud, while next month a meeting is scheduled covering how HIPAA Rules apply to software-as-a-service, including how existing programs can be leveraged to demonstrate how security risks are currently being managed. After a series of meetings HC3 will be in a position to state what guidance is required and it will contact the OCR with a request for specific answers to common problems faced by the industry to help clear up confusion and to allow HIPAA-compliant cloud services to be provided more easily and to improve uptake.