Healthcare organizations are increasingly being tasked with securely handling the vast amount of electronically protected health information (ePHI) they obtain through multiple forms of technology. To achieve this, many are turning to cloud computing to not only store and retrieve the data, but also procure unlimited backup space and reliable disaster recovery.
In fact, a HIMSS Analytics survey found that more than 83 percent of healthcare organizations are already using cloud services. According to another report, approximately 35 percent of healthcare organizations house more than half their data or infrastructure in the cloud. For those that have yet to do so, some cite cost, while others report a lack of staffing resources. But, by far, health organizations are concerned with privacy and HIPAA compliance.
A Simple Answer to a Complex Question
For those organizations that have yet to employ cloud computing, the key question might be “Can HIPAA data be stored in the cloud?” The answer is yes. End of story. No need to read on.
Of course, it’s not as easy as that. Take, for example, covered entities. In this case, we’re referring to healthcare providers and payers that create, receive, or transmit PHI. When utilizing cloud computing, these organizations must take certain precautions to verify they’re compliant with the Security Rule of HIPAA and its administrative, physical, and technical safeguards. Is it worth the effort to even both with cloud storage?
Again, the answer is yes. These organizations enjoy a host of benefits by utilizing cloud computing, including reduced storage and operating costs, enhanced scalability and flexibility, and remote file sharing.
Taking the Necessary Steps
Nonetheless, covered entities that don’t comply with the rules and regulations of HIPAA can be subject to assorted fines and penalties, both civil and criminal. Therefore, they must have a full grasp of how ePHI and other data should be stored in the cloud to achieve compliance and security. It’s about more than simply selecting a big-name cloud service provider (CSP). It’s having a comprehensive plan in place for their data, performing a risk analysis on the option of cloud computing, and finding a solution that will grow as they do.
So, how can healthcare organizations guarantee they’re making the right choice in investing in cloud computing to handle their ePHI? By conducting in-depth research on their IT systems, operations, and needs, performing a cost-benefit analysis, and evaluating different CSP options.
Obtaining Proper Proof and Documentation
Even though some CSPs tout their ability to comply with HIPAA, covered entities should require proof of their adherence to its guidelines. They should verify that the CSP’s service level agreement (SLA) doesn’t interfere with this compliance and can prove they have up-to-date certifications for items such as encryption levels and System and Organization Controls (SOC) auditing and reporting.
Covered entities also should confirm the CSP they select meets all their HIPAA protocols and follows regulations on who can access their ePHI. Any reliable CSP should have no problem answering questions about HIPAA compliance for customers and providing any requested documentation for verification. It’s important to note that any healthcare organization covered under HIPAA that ceases the use of a cloud service should receive back all of its stored data.
Brokering Through a Business Associate Agreement
Another HIPAA requirement for healthcare organizations that utilize cloud computing is a Business Associate Agreement (BAA). A business associate may consist of a CSP, managed service provider (MSP), or organization that processes patient data through the services it conducts.
As we mentioned in a previous blog, the BAA is a contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the Business Associate (BA), provided that the BA will use PHI only as permitted by the contract or required by law, use appropriate safeguards, and report any disclosures not permitted by the contract. It basically manages the chain of custody and clearly defines what the roles and responsibilities are for each party involved in the process.
This is where HIPAA’s administrative, physical, and technical safeguards come into play again. Administrative safeguards consist of data access, risk analysis, and security management, assessment, and staff training, while technical ones are comprised of access and audit controls, integrity processes, and transmission security. Examples of physical safeguards are protections for workstations and devices and facility access. Even though a CSP may have all these essential safeguards, it’s still the responsibility of the covered entity to confirm the appropriate HIPAA guidelines are being addressed.
Focusing on Encryption
As with other methods of storing data, encryption should be a focus for healthcare organizations using cloud computing, both for files in transit and at rest. Even when ePHI is encrypted, HIPAA requires CSPs to maintain the availability and integrity of it. The data still can be in danger of cyberattacks and natural disasters. If a covered entity is the victim of a breach of unencrypted PHI, that organization is required to report it to HHS’ Office for Civil Rights. Before choosing a CSP, healthcare organizations should verify that vendor utilizes a minimum of 128-bit encryption.
Achieving Compliance with Connectria
At Connectria, we know that a simple mistake in setting up workloads in the cloud could result in a data breach that costs your healthcare organization millions in fines and remediation. We assist healthcare organizations of all sizes in maintaining compliance with HIPAA security standards for the storage of Protected Health Information (PHI) and have solutions for private and public clouds along with on-prem environments. Plus, our TRiA Cloud Management Platform (CMP) has more than 200 built-in IT security and compliance checks which cover common standards, including HIPAA.
For SaaS software developers or MSPs serving customers in the healthcare industry, our managed and private hosted clouds can help you offer HIPAA and HITECH compliant cloud-based solutions to your customers as well. Contact us to learn how we’re able to implement an environment to meet HIPAA/HITECH standards across a wide range of IT environments.