What is HIPAA Compliance in the Cloud?
The proliferation of cloud solutions within organizations has changed the way we work. Many businesses are leveraging hosted software and hardware services using models like IaaS, PaaS, and SaaS. However, cloud computing raises security and compliance concerns. For companies in the healthcare industry, these concerns are paramount.
In the USA, the Health Insurance Portability and Accountability Act (HIPAA) applies to “covered entities” (healthcare organizations), and their “business associates” (third-party vendors processing data on behalf of covered entities).
Both types of organizations are responsible for securing protected health information (PHI). Healthcare organizations leveraging cloud services need to enter a HIPAA business associate agreement (BAA) with their cloud providers and ensure that the cloud provider takes the appropriate measures to secure PHI in line with relevant HIPAA regulations.
In this article, you will learn:
Brief Introduction to HIPAA
HIPAA is a mandatory compliance standard for organizations in the US healthcare industry specifying the appropriate use and protection of PHI. Below we cover the basics of HIPAA compliance.
Two types of organizations are required to be HIPAA compliant:
- Covered entity—a healthcare provider or payer who maintains, transmits, or creates PHI. Medical practitioners employed by hospitals are generally not considered covered entities. However, private medical practitioners may be considered a covered entity.
- Business associates—a company or individual that performs a specific function or provides services to covered entities that require access to protected health information.
There are four main rules in the HIPAA standard:
- HIPAA Privacy Rule—determines standards for protecting health information, such as medical records, applications for health programs, and medical data processed by clearinghouses.
- HIPAA Security Rule—sets security standards for PHI maintenance, transmission, and processing. This applies to covered entities as well as business partners.
- HIPAA Breach Notification Rule—specifies that the organization should report all security breaches. The deadline for reporting depends on the severity of the breach.
- HIPAA Omnibus Rule—an additional HIPAA rule that specifies standards for business associates. This rule requires “business associates” to be HIPAA-compliant and requires “covered entities” to enter a BAA with their business associate before using services involving PHI.
If an organization carries out HIPAA violations, the state Attorney General may impose fines of up to $25,000 per year per category of violation, and the Office for Civil Rights (OCR) can impose fines of up to $1.5 million per year per each category of violation. Individuals who violate HIPAA can also face fines and criminal penalties of up to 10 years in prison.
How Does HIPAA Affect Cloud Service Providers and Users?
According to HIPAA guidelines, cloud services providers (CSP) are defined as business associates. This implies the following requirements with regard to the use of cloud services at healthcare organizations:
- BAA with the cloud provider—covered entities may use cloud services to store or process ePHI; however, they must enter a BAA with the cloud provider.
- Ensure the CSP is in compliance—it is not enough to sign a BAA. Covered entities must make sure that the cloud provider complies with all relevant HIPAA regulations.
- Defining SLAs—covered entities need to receive a Service Level Agreement (SLA) commitment from their cloud providers which addresses HIPAA requirements like system reliability and availability, data backup, data recovery, security responsibilities, retention of PHI, disclosure, and more.
- Data encryption—if the cloud provider stores encrypted PHI without an encryption key, they are still considered a “business associate” and are subject to the same responsibilities for securing the data.
- Reporting incidents—when a security incident happens, the cloud provider must report it to the covered entity (cloud user) as soon as the vendor discovers the incident. According to HIPAA, cloud providers are required to detect as well as respond to any security incident. The cloud vendor is also required to mitigate security threats as well as record the details of the incident and its consequences.
Penalties for Cloud-Related HIPAA Violations
There were several cases tightly related to cloud services where HIPAA violation resulted in court settlements and large fines, including:
- Phoenix Cardiac Surgery—did not enter a business partner agreement with an Internet-based calendar and email service provider. PHI-related information was transmitted using the service. The organization settled its case with OCR for $100,000.
- University of Oregon Health and Science University—stored PHI in a cloud service without entering a BAA with the cloud provider. Settled the OCR lawsuit for $2.7 million.
- St. Elizabeth Medical Center in Brighton, MA—uploaded PHI to a cloud file sharing service without assessing the risks and paid $218,000 in fines after a settlement with OCR.
Best Practices to Maintain HIPAA Compliance in the Cloud
When a public cloud provider declares it is HIPAA compliant, this means the underlying infrastructure is secure. A covered entity is still responsible for using identifying out of scope HIPAA requirements that the public cloud provider is not responsible for, monitoring for security incidents, and auditing their activity.
Below are the key activities covered entities must carry out after they start using a HIPAA-compliant cloud service.
Sign a BAA with Your Cloud Provider
The first step to HIPAA compliance is to sign a Business Associate Agreement (BAA) with the cloud provider. This should help establish the guidelines of the relationship between the two entities.
Establish Responsibilty Matrix for HIPAA Controls
Most providers will have a responsibility matrix ready to share to establish what the public cloud provider will and will not be covering in terms of required HIPAA controls. Establishing which entity will be responsible for what is a key function to ensure nothing is missed when establishing HIPAA compliance.
Set Up Appropriate Access Controls
The cloud user must ensure that access controls are carefully configured so that only authorized individuals can access PHI. It is necessary to establish procedures for granting, revoking, and periodically reviewing access.
Set Up Patch Management
Ensure that all cloud systems are upgraded to the latest versions of their respective operating system and software. Put monitoring in place, ensure operations staff are notified when a patch is needed, and have a convenient way to apply patches to cloud systems.
Set Up Firewalls with Logging
HIPAA requires that local data centers and workstations should be behind a firewall. HIPAA rules also require recording, auditing, and monitoring of any access to PHI data. This means that logging should be enabled on any firewall, whether deployed on-premises or in the cloud.
Set Up Controls for File Integrity Monitoring
The cloud user must set up measures that ensure PHI integrity. The organization should have a record of any unauthorized access to PHI and any changes made to the data and should be able to ensure any healthcare data is “authentic”.
Make Sure Encryption is in Place
End-to-end encryption is mandatory for any data transmitted to or stored in the cloud. Systems should be in place to coordinate encryption keys between on-premise and cloud systems.
Set Up Appropriate Processes for a Breach Notification
When a data breach has occurred, both the cloud user (the covered entity) and the cloud provider (the business associate) should investigate and report their findings to the OCR.
Provide Training for Employees
Any employees who work with protected health information (PHI) or related systems must be aware of the relevant security procedures, and what they are and are not allowed to do with the data. An ongoing training program is essential to ensuring HIPAA controls are enforced within the organization.
HIPAA Compliance in the Cloud with Atlantic.Net
We provide a secure and affordable HIPAA cloud-compliant hosting environment with all the benefits of cloud hosting with none of the risks. Our Infrastructure has been audited and certified by an independent third party against the HIPAA Security Rule for HIPAA compliance.
We’ll provide your healthcare firm with an ultra-secure private cloud that only you can access; you’ll have access to all the benefits of cloud hosting with none of the risks.
Get Help with HIPAA Compliance
Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, call 888-618-DATA (3282), or email us at [email protected]