For those organizations who have yet to employ cloud computing, the key question might be “Can HIPAA data be stored in the cloud?” The answer is yes. End of story. No need to read on.
Of course, it’s not as easy as that. Take, for example, covered entities. In this case, we’re referring to healthcare providers and payers that create, receive, or transmit PHI. When utilizing cloud computing, these organizations must take certain precautions to verify they’re compliant with the Security Rule of HIPAA and its administrative, physical, and technical safeguards. Is it worth the effort to even both with cloud storage?
Again, the answer is yes. These organizations enjoy a host of benefits by utilizing cloud computing, including reduced storage and operating costs, enhanced scalability and flexibility and remote file sharing.
Taking the Necessary Steps
Nonetheless, covered entities that don’t comply with the rules and regulations of HIPAA can be subject to assorted fines and penalties, both civil and criminal. Therefore, they must have a full grasp of how ePHI and other data should be stored in the cloud to achieve compliance and security. It’s about more than simply selecting a big-name cloud service provider (CSP). It’s having a comprehensive plan in place for their data, performing a risk analysis on the option of cloud computing, and finding a solution that will grow as they do.
Obtaining Proper Proof and Documentation
Even though some CSPs tout their ability to comply with HIPAA, covered entities should require proof of their adherence to its guidelines. They should verify that the CSP’s service level agreement (SLA) doesn’t interfere with this compliance and can prove they have up-to-date certifications for items such as encryption levels and System and Organization Controls (SOC) auditing and reporting.
Covered entities also should confirm the CSP they select meets all their HIPAA protocols and follows regulations on who can access their ePHI. Any reliable CSP should have no problem answering questions about HIPAA compliance for customers and providing any requested documentation for verification. It’s important to note that any healthcare organization covered under HIPAA that ceases use of a cloud service should receive back all of its stored data.
Brokering Through a Business Associate Agreement
Another HIPAA requirement for healthcare organizations that utilize cloud computing is a Business Associate Agreement (BAA). A business associate may consist of a CSP, managed service provider (MSP) or organization that processes patient data through the services it conducts.
As we mentioned in a previous blog, the BAA is contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the Business Associate (BA), provided that the BA will use PHI only as permitted by the contract or required by law, use appropriate safeguards, and report any disclosures not permitted by the contract. It basically manages the chain of custody and clearly defines what the roles and responsibilities are for each party involved in the process.
Focusing on Encryption
As with other methods of storing data, encryption should be a focus for healthcare organizations using cloud computing, both for files in transit and at rest. Even when ePHI is encrypted, HIPAA requires CSPs to maintain the availability and integrity of it. The data still can be in danger of cyberattacks and natural disasters. If a covered entity is the victim of a breach of unencrypted PHI, that organization is required to report it to HHS’ Office for Civil Rights. Before choosing a CSP, healthcare organizations should verify that vendor utilizes a minimum of 128-bit encryption.
Achieving Compliance with Connectria
At Connectria, we know that a simple mistake in setting up workloads in the cloud could result in a data breach that costs your healthcare organization millions in fines and remediation. We assist healthcare organizations of all sizes in maintaining compliance with HIPAA security standards for the storage of Protected Health Information (PHI) and have solutions for private and public clouds along with on-prem environments. Plus, our TRiA Cloud Management Platform (CMP) has more than 200 built-in IT security and compliance checks which cover common standards, including HIPAA.
For SaaS software developers or MSPs serving customers in the healthcare industry, our managed and private hosted clouds can help you offer HIPAA and HITECH compliant cloud-based solutions to your customers as well. Contact us to learn how we’re able to implement an environment to meet HIPAA/HITECH standards across a wide range of IT environments.
Visit our HIPAA Compliance Solutions page to find out how our experienced team partners with customers to help them achieve their HIPAA and HITECH compliance objectives.
As you search for a partner to help with HIPAA compliant hosting, we recommend our article, “Four Ways to Vet a Private Cloud Provider.”