Secure Cloud Services for HIPAA Compliance
The HIPAA rules stipulate that all Protected Health Information (PHI) is safeguarded by a number of administrative, physical and technical controls to prevent it being accessed by unauthorized individuals. Therefore any covered entity or Business Associate that stores PHI in the cloud must use secure cloud services for HIPAA compliance.
Storing PHI in the cloud is considered to be a HIPAA violation risk by many healthcare providers. While it is certainly true that using the cloud to store PHI could potentially lead to a host of HIPAA violations if a number of safeguards are not implemented, a number of vendors are providing secure cloud services for HIPAA compliance.
When the Health Insurance Portability and Accountability Act (1996) was originally penned, the technological landscape was very different and it would have been very difficult to predict the progress that would be made over the next two decades. As such, cloud service providers are not specifically mentioned in HIPAA regulations. However they are included under the Omnibus Rule under “document storage companies”.
The regulations read “Document storage companies maintaining protected health information on behalf of covered entities are considered business associates; regardless of whether they actually view the information they hold.”
Since the introduction of the Omnibus Rule, Covered Entities (CEs) must ensure that all Business Associates – vendors who in the course of their duties will be required to come into contact with PHI – read and sign a Business Associate Agreement (BAA) that states its obligations under HIPAA Rules and confirms that the services provided will be compliant with HIPAA regulations.
Business Associates must therefore familiarize themselves with the HIPAA Breach Notification Rule, Security Rule, Privacy Rule and Omnibus Rule. Since the introduction of the Enforcement Rule, the Office for Civil Rights is able to issue substantial fines for non-compliance. The maximum of $1.5 million, per violation, per year that it was allowed to persist, can result in multimillion dollar settlements. The Omnibus Rule broadened the CE definition and now BAs can be fined directly by the OCR for non-compliance.
Since cloud service providers are classed as Business Associates they must adopt a number of safeguards to ensure that any PHI that they are provided with, or is stored on their servers, has the appropriate protections in place- i.e. they must have secure cloud services for HIPAA compliance. While it is the responsibility of the Business Associate to implement the controls, the CE must check to make sure that the safeguards have been put in place. CEs can also be fined for HIPAA violations, even if a data breach was caused by a Business Associate.
Many cloud vendors have realized the potential for business with the healthcare industry, now that it has largely moved over to Electronic Health Records (EHRs). The cloud offers many benefits and by securing the cloud services, vendors can take advantage of the opportunities in the healthcare sector. Many have already started offering “HIPAA-compliant” services.
Provided each vendor can guarantee that they will abide by HIPAA rules and apply the appropriate safeguards to protect PHI – and agree to sign a Business Associate Agreement to that effect – covered entities can take advantage of the many benefits offered by secure cloud services for HIPAA compliance, such as improved efficiency, easier data access and also considerable cost savings.