How can you take advantage of the incredible power of cloud hosting while still meeting HIPAA data storage requirements at all times?
The best way currently available to store your medical files and share them between various parties is with HIPAA compliant cloud storage. Various cloud apps are designed for filesharing (examples include Box, Dropbox, and Google Drive), which also allows you to back up the files and synchronize data between various devices. However, general technological solutions are not designed for the special case of healthcare – in particular with regard to encryption.
Encryption is important because healthcare IT is being squeezed from both sides. On one side are the criminals: it’s now widely known in threat circles that health information is worth 10 times what a credit card number is on the black market. On the other side are federal regulators, concerned that every covered entity and business associate comply with HIPAA requirements for data storage, processing, and transfer.
People working in the hard-copy world of 20th century medicine would have been delighted by a technology that would allow them to immediately create backup copies of medical records and share them seamlessly with other healthcare practices, explained healthcare technologist Asaf Cidon.
“At the same time,” Cidon countered, “healthcare professionals may have quaked at the prospect of an invention that could scatter copies of their patient files to exposed locations, giving easy access to potential snoops and identity thieves.”
Those two creations describe the positive and negative sides of the same technological service: HIPAA compliant filesharing.
One basic capability enabled by the cloud is to allow for immediate backup and access from anywhere with a web connection. Individuals often use cloud file storage, for the same basic efficiency and access values embraced by businesses to back up files and know that they can edit and save the document from anywhere and in collaboration with whomever they want (allowing bride and groom to collaborate on wedding ideas, for instance, or a job seeker to get resume edits from a friend).
Filesharing may sound like a simple concept, but it can make a healthcare environment much more productive. Plus, think of the business continuity and DR gains: “Even if your entire practice is flooded, … and all of your computers and paper files are destroyed,” Cidon suggested, “your files will still be safe if you’ve backed them up” via HIPAA cloud storage.
By storing your files on a cloud virtual machine, you will also be able to know that you are always looking at the most current version of the file since everything updates in real-time.
Plus, you can share files back and forth with other professionals.
Although there are obvious advantages of the broad accessibility of cloud storage, this characteristic also creates vulnerability. Dropbox and other general file-sharing apps may encrypt files during storage. However, the files are exposed as soon as they’re downloaded.
If you share a record through Dropbox, the file would then be synchronized across all of their devices – completely unencrypted. If one laptop or smart phone or tablet is stolen or lost, you have a breach.
The current HIPAA breach notification rule stipulates that you must notify the government of any PHI compromise that involves at least 500 patients’ data (the breach notification rule), with penalties up to $1.5 million along with liability (the latter applying even if only one record is lost). Over three in five HIPAA violations are due to device theft or misplacement; every single practice is at risk.
If you are using a general service rather than HIPAA Compliant Hosting, you can run into another issue as well. You could enter the email address incorrectly, sharing the file with an unintended individual. Your colleague could also hand it to an additional third party.
“Furthermore,” Cidon offered, “most file-sharing services only audit files while they’re stored in the cloud (and even then, these audits don’t necessarily comply with HIPAA), so your documents could be scattered without you ever even knowing about it.”
Enabling HIPAA compliant storage:
These challenges don’t mean cloud hosting should be avoided. Cloud backup and file-sharing is simply too powerful a technology to ignore. What you need to do is figure out how to enable HIPAA compliant storage. You can achieve this in a couple of ways.
One way is to use your own file server; but you won’t get the benefits of cloud, and your costs will be higher. To directly benefit from cloud, you can sign up for a general service and then encrypt every device. In order for that scenario to work, you would need to know that the file-sharing company guarantees encryption within their servers and when entering/exiting them.
Plus, “this solution only works if you can ensure that files are only opened from the devices you control,” Cidon explained, “and also requires considerable IT support.”
By far the best way to meet HIPAA storage requirements in the cloud is to work with a provider that specializes in the healthcare industry. Our healthcare cloud storage solution, featured at HIMSS15, is HIPAA-audited, securely monitored and managed through our SSAE 16 certified datacenter in Orlando, Florida.