Beware of HIPAA Complaint Cloud Services
Gartner, Inc., a Connecticut-based information technology research and advisory firm, has predicted that cloud spending will increase to $150 billion by the end of the year, and that with the increasing costs faced by the healthcare industry, 30% of healthcare organizations will look to the cloud as a way of reducing operating costs and improving efficiency.
Under HIPAA regulations, healthcare providers and their Business Associates are permitted to use cloud services, even for activities that require contact with Protected Health Information. Data can be backed up in the cloud, housed in the cloud, and cloud-based software and applications can be developed. Provided of course, that Privacy and Security Rules are adhered to.
Care should be taken when choosing “HIPAA Compliant” cloud services, as while products can be compliant with federal regulations, there is no guarantee that this will be the case with any product or service. Regulations do not just cover the service or platform offered, but include administrative requirements, rules on how data is uploaded, downloaded and accessed and much more.
Most importantly, if a laptop, Smartphone, server or desktop is used to access data stored in the cloud, it could easily cause a disclosure of PHI and a HIPAA violation and no cloud service provider can prevent that. If a vendor advertises as being HIPAA-compliant, this could lead an organization to think that everything they do will be HIPAA-compliant or that the vendor would look after compliance for them, and this is most definitely not the case.
In order to be compliant, data access must be controlled and a number of technical safeguards put in place to protect PHI when it is stored in the cloud, backed up or transported in and out.
In many cases, vendors can provide assistance in ensuring compliance with HIPAA regulations, one of the most important elements is the Business Associate Agreement. All vendors must agree to sign a BAA and to abide by HIPAA Rules. This means they too much implement appropriate technical, administrative and physical controls to protect PHI, although these must be stipulated by the covered entity and detailed in the agreement.
The Health Care Cloud Coalition (HC3) is aware of the problem with HIPAA and Cloud Services and is looking for solutions to help the healthcare industry take advantage of cloud services and to support service providers. It is holding a meeting on June 19 this year to help clarify how HIPAA applies to the cloud. There is much confusion about the specifics of HIPAA, as the legislation concentrates on healthcare providers and health insurer’s use of the cloud, rather than providing advice for cloud service providers to help them make their products and services compliant with HIPAA.
In next month’s meeting, HC3 will be discuss how HIPAA Rules apply to software-as-a-service, how to leverage existing programs to demonstrate the robust security safeguards that they incorporate, and how to show that cloud-specific-security risks have been effectively managed. HC3 will also attempt to obtain guidance from the OCR on how HIPAA applies to cloud service providers.