Taking HIPAA Compliance to the Cloud: What You Need to Know
HIPAA regulations have made data handling protocols by healthcare professionals a procedural tightrope --not just for them, but also for the cloud-based apps and services they share data with. Start here to learn what it is, and how to ensure your existing cloud services are HIPAA compliant.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a framework of US Federal legislation that ensures data privacy and security provisions for what is considered to be protected health information (PHI), and its electronic equivalent, ePHI. HIPAA extends beyond covered healthcare organizations and insurance companies to the cloud services they use.
It is estimated that international cloud computing services for healthcare will climb to the $9.5 billion mark by the year 2020 - that's a projected growth rate of 20.5% annually; and this growth will not be without its technological hurdles.
This legislation is in place to ensure the privacy of personal health information, and it has left a lot of organizations scratching their heads wondering if the services they use are HIPAA compliant.
It is up to cloud service providers to ensure they are in fact compliant; otherwise they're going to miss out on their piece of that $9.5 billion dollar pie.
While the goal of HIPAA is to protect patient privacy, the downside is it can form a massive barrier for startups seeking to enter the healthcare industry, and could potentially squash future innovations beyond the meeting room whiteboard.
In this article we'll take a bird's eye view of what HIPAA is, what it means for organizations that rely on cloud-based services to manage protected health information, and for the people behind these cloud-based services.
What HIPAA Means for the Cloud
All parties involved will need to recognize that cloud service providers who handle ePHI are in fact "HIPAA business associates" of their healthcare customers, and that they are under specific obligations to provide adequate protection for that data.
A HIPAA business associate is an entity or person who facilitates specific functions on behalf of an organization that is covered by HIPAA, or offers services that involve privileged access to protected health information. The rules very clearly spell out that HIPAA applies to any organization that "creates, receives, maintains or transmits ePHI, for or on behalf of, a HIPAA covered entity."
That means they'll need to sign a business associate agreement (BAA) that clearly outlines the allowable uses and disclosures of protected health information by the cloud service, all safeguards that are in place to protect it, and any other aspect of the HIPAA regulations that relates to their business.
The BAA will also need to be updated when changes occur that could impact compliance, and should the cloud service provider pass the ePHI to another cloud service provider, it will need to have a BAA in place with that 3rd party, and so on down the line.
For organizations covered by HIPAA, it's important for them to understand they can't just go ahead and use a cloud-based service because they believe it to be HIPAA compliant --there must be a BAA in place, first. To do otherwise is to risk regulatory enforcement actions that can result in significant fines for non-compliance if they get caught.
Requirements for Cloud-Based Services
According to guidance issued by the U.S. Department of Health and Human Services, cloud service providers are required to comply with the three main sections of the HIPAA regulations, namely the Privacy, Security and Breach Notification Rules.
In plain English, here's a brief high-level explanation:
- Network transmission and security: All methods of data transfer must have ample safeguards in place to protect electronic PHI from unauthorized access.
- Physical security: From access to the building itself, to the hardware and systems within it.
- Technical safeguards: All levels of access should be for authorized parties only, and an audit trail available to review who accesses what.
- Technical policies: Data integrity, disaster recovery, and off-site backup are key priorities to ensure that data isn't altered, destroyed, or unable to be recovered.
All of which should be clearly documented in the BAA in great detail.
In addition, a Service Level Agreement (SLA) that spells out specific and detailed expectations between the Cloud provider and its customer should incorporated in the BAA. The SLA could, for example incorporate specific metrics involving:
- Minimum system availability and reliability.
- Back-up and data recovery.
- Manner in which data will be returned to the customer after service use termination.
- Security responsibility.
- Use, retention and disclosure limitations.
Finally, the BAA should also establish a notification policy in the event that data is breached or otherwise compromised while in the Cloud, in order that the health care provider whose data was breached is informed with sufficient time to correct the situation, and if necessary, report the event as required under the Breach Notification Rule.
HIPAA Compliant Cloud-Based Services
Finding a HIPAA compliant cloud service isn't as hard as one might think. Eager to serve regulated industries, here are a few that are able to enter into a BAA.
eFax Corporate is one such online faxing provider that is HIPAA compliant, already trusted by a wide range of Fortune 500 companies, and was immune to recent ransomware attacks --because you can't hack a fax.
Cloud-based faxing services have breathed new life into the old office fax machine due to their ability to leave a proper audit trail, incorporate modern secure document-sharing measures, and have a ubiquitous presence in and around the office.
Here Today, HIPAA Tomorrow
There is a heavy requirement on businesses in the health sector to ensure that all cloud based services used inside or outside of the office are HIPAA compliant and a BAA has been signed.
In this BYOD world, that's a tall order in itself.