The HIPAA Compliant Cloud: An Introductory Report

More and more healthcare companies are evaluating the cloud as a possible environment for data processing and storage. As more investment has been pumped into the cloud industry, systems have become substantially more robust and complex. However, federal law dictates that providers, health plans, and health data clearinghouses must keep all “protected health information” (PHI) secure and confidential – and the role of technology providers is critical.

“The HIPAA Omnibus Rule had several changes in how CEs and business associates could handle patient data,” explains Elizabeth Snell of HealthIT Security, “and what the ramifications will be if that data is compromised in a data breach.”

HIPAA Compliance

As of the Final Omnibus Rule, companies that provide any solution handling American patient data as “business associates” of healthcare companies – extending from paper shredders to cloud hosts and software developers – must comply with the same essential privacy, security, and breach notification rules established for healthcare firms (a.k.a “covered entities”).

Keep in mind, though, that noncompliance is rampant. FierceHealthIT cited an Office of Civil Rights (HHS Department) attorney stating that the fines issued to healthcare companies failing to meet HIPAA stipulations would skyrocket between June 2014 and June 2015. Since it’s clear that not everyone is following the protective data measures required by the act, self-education is critical – and that’s the intent of this preliminary report on the cloud for health data.

What is Cloud Computing?

Virtual cloud servers allow businesses to store data and utilize resources located elsewhere while accessing from anywhere they want. Essential IT functions such as maintenance of servers and patching of operating software are entrusted to a third party, typically called a cloud service provider (CSP).

One way HIPAA Cloud Hosting is used in healthcare is for imaging, taking advantage of the unprecedentedly affordable performance.

“Cloud services can help healthcare organizations become more connected,” argues Snell, “which is beneficial in an increasingly digital industry.”

As you consider how you want to interact with the cloud, it’s helpful to know that there are three primary categories of public cloud providers:

• Software as a service (SaaS) – This cloud provider gives you specific software capabilities such as an email system or a customer service portal.
• Platform as a service (PaaS) – You have access to external resources delivered through a platform established by the digital provider. Within reason, you can put whatever type of software you want on that platform.
• Infrastructure as a service (IaaS) – This option gives you complete freedom and control. You are actually in charge of your own cloud server in this situation.

The “Final” Omnibus Rule & the Cloud

The Omnibus Rule, which went into effect in 2013, establishes that the health data of American citizens must remain private regardless of location.

The rule states clearly that it doesn’t matter if a third party does not regularly look at the health data of its clients. All that matters is that the data is accessible to them. Essentially, any digital provider handling health data in any way must comply with the law.

In a report on the intersection of the Omnibus Rule and the cloud, the Center for Democracy and Technology (CDT) noted that it was unclear previously if companies that did not regularly access the data needed to worry about HIPAA themselves. Now it’s clear that they do.

The responsibilities of business associates range vastly based on how they are interacting with the protected health data, explains the CDT whitepaper. In a nutshell, though, a service provider that has properly blocked itself off from the data and “that adheres to HHS standards for encryption should have little liability risk as a business associate (except to ensure that it properly manages encryption).”

Partially because the cloud has matured and because the relationship to HIPAA is more evident for all parties involved, cloud storage is now considered an option worth legitimately exploring – with many of the major hosting providers getting certified to prove their compliance to customers.

Cloud companies typically provide advice to their clients to achieve full compliance.

An Amazon Web Services whitepaper on the topic notes that HIPAA-compliant health data should be encrypted with 256-bit AES cryptography or similar. Additionally, the document argues that you can reduce your risk and improve your resource efficiency by omitting any nonessential patient data before sending anything through a cloud system.

Is the Cloud a Necessity?

Cloud is by no means necessary to operate in the current healthcare climate. Many of our HIPAA compliant customers use dedicated servers, even if they want to divide those servers up into numerous virtual machines.

However, as Snell indicates, healthcare companies “might find that this storage option is ideal for them as it can cut down on certain operating or storage costs, and could streamline many services.” Finally, she stresses the importance of a solid business associate agreement.

Do you need to maintain compliance with HIPAA, as with a self-encrypted storage plan? We offer comprehensive, fully audited HIPAA Compliant Hosting solutions within our SSAE 16 certified datacenter, all backed by a transparent and fair business associate agreement.