HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How to Choose the Right Healthcare Cloud Provider

Healthcare organizations often turn to a HIPAA compliant cloud vendor or Managed Service Provider to help them ensure electronic patient records are secured and they are in compliance with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA contains an extensive set of rules for healthcare organizations which were introduced in 1996 to improve privacy and security of patient information, eliminate waste in healthcare, and combat fraud.

This legislative act introduced new and legally binding requirements for healthcare providers to secure their systems, improve privacy and security protections, and keep health data private and confidential at all times. The Act and its subsequent updates have served to strengthen privacy protections, give patients new rights, and ensure that all healthcare organizations achieve a minimum standard of data security.

It may seem that HIPAA is at odds with cloud computing, but there is nothing in HIPAA legislation that prohibits use of the cloud for sharing or storing patient data. HIPAA covered entities can use cloud platforms and services in connection with protected health information, provided certain provisions of HIPAA are satisfied. That means finding a suiotable cloud vendor can be more of a challenge.

Is Cloud Security Sufficient to Meet HIPAA Requirements?

There is a common misconception that the cloud does not provide a sufficiently high level of security, and that any PHI stored in the cloud will be less secure than on an on-premises server. That is certainly not the case. The cloud can provide the same or even greater security for sensitive data. Hovever, to ensure that is the case, you should choose a vendor that is fully aware of the requirements of HIPAA and has implemented all appropriate safeguards to ensure compliance.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Certifications and Security Standards – Secure cloud vendors offering HIPAA compliant hosting services play an essential role in helping healthcare organizations join the cloud revolution. While there is no official HIPAA compliance certification, trusted third-party assessments of the state of compliance can provide reassurances that a vendor provides enhanced technical solutions in-line with the administrative, physical and technical safeguards demanded by HIPAA.

These safeguards require a cloud vendor to ensure that they have policies, procedures, and controls in place covering:

  • Data Security – Strict guidelines are in place covering how data is stored, transferred and removed, ensuring that data is always encrypted and always protected
  • System Security – Client servers and segregated networking systems are protected to HIPAA standards to prevent unauthorized access
  • Structural Security – Cloud data centers must be built from the ground up with stringent security protocols in place to protect the physical building and the electronic systems containing patient data
  • Maintenance – The vendor must ensure the infrastructure is always up-to-date and properly maintained and patched

Other critical certifications to look out for include HITECH compliance and SSAE18 (SOC1 and SOC2). These standards ensure that internal audit controls, security policies, and data processing is of the highest standard and there are strict standards in place to ensure client confidentiality.

Data Governance and Compliance – There are several other critical governance and compliance processes which your shortlisted cloud vendors should adhere to:

  • Auditable – Is the cloud vendor’s infrastructure auditable? Can the vendor provide an risk assessment report on demand to auditors? These audits validate the cloud vendor’s compliance and offer the client greater insight into the vendor’s capabilities
  • Business Continuity – Can the cloud vendor offer secure offsite backups and data protection technology (such as disaster recovery failover) for the hosted IT infrastructure
  • Business Associate Agreement – HIPAA requires the cloud vendor to enter into a Business Associate Agreement with HIPAA-covered entities which clearly defines the rules and responsibilities of each party entering the agreement.
  • Data location – It is important to know where all your data is located. Most healthcare data must stay within the United States. You need to understand the cloud provider’s data services locations and where PHI may be stored. This is also essential for backups and DR.

Accountability, Compliance, and Business Associate Agreements

When entering into a BAA with a cloud vendor, the vendor is essentially guaranteeing a level of service and compliance for your organization. The roles and responsibilities of the cloud vendor should be clearly defined, as well as your responsibilities as a client. The aim is to create a status quo of an agreement which is mutually beneficial to all involved, while meeting the requirements of HIPAA.

Other areas of accountability to consider are:

  • Service Level Agreements – This is a service agreement the vendor must adhere to or risk an (often financial) penalty. Things such as Service Uptime, agreed RPO (Recovery Point Objective) and RTO (Recovery Time Objective) should be states in the SLA.
  • Managed Service – The cloud vendor will need to provide a level of service management agreed in the BAA. This usually includes providing and upgrading the technology solution, keeping and maintaining procedures and processes related to your technical solution. It may also include offering technical support, monitoring, and pre/post-sales support.

Additional Technology and Services from Hosting Providers

It is important to develop an understanding of what the cloud vendor can do for your healthcare business. Does the cloud vendor offer you services and technology that your organization can utilize that will benefit your organization? 

Healthcare is a very specific business market, so it is worthwhile choosing a knowledgeable vendor with vast experience providing similar services to other healthcare professionals, using tried and tested methods and proven solutions. They must also be forward-thinking and constantly evolving within the healthcare marketplace and may be able to offer a range of digital transformation services to further enhance your business.

This can be done by assessing the technology and services on offer from the provider. Most healthcare organizations opt for Infrastructure as a Service (IAAS) or Platform As A Service (PAAS). But, your cloud vendor may be able to offer an even greater range of services such as:

  • Managed Backup Service –  HIPAA requires a backup solution to be implemented to prevent file loss. An existing HIPAA compliant backup service may be offered by your cloud vendor
  • Managed Disaster Recovery solution – The ability to evoke DR services to fail over production infrastructure to a geographically disparate location are a fundamental part of healthcare compliance. Some cloud vendors can manage this in its entirety for you – failover sequence, boot sequence and testing – as well as implementing regular DR tests
  • 24x7x365 Operational Support – To ensure the manageability of your new cloud infrastructure you may at times need support directly from your cloud vendor. Having around-the-clock support can be highly advantageous
  • Managed Network Services – Firewalls and associated technology can be difficult to manage for some organizations. If your cloud provider offers HIPAA compliant network infrastructure, you can be certain that you will be provided with a durable and reliable computer network 
  • Migration Services to the Cloud – Most healthcare organizations will already have a significant IT footprint. It’s important to ask what your cloud vendor can do to fast-track the migration to the cloud and what their exit strategy is, should you happen to change vendor in the future
  • Data Monitoring – Data and trend monitoring not only protects against data misuse but also offers enhanced security and system protection to healthcare clients
  • Intrusion Detection – This can be a physical or technical safeguard to protect the underlying computer hardware which provides your cloud service. If your cloud vendor offers this capability, then you can be assured your digital assets are protected to a high standard
  • Multi-Factor Authentication (MFA) – Cloud vendors are extremely flexible with how clients access their data; however, protecting data from unauthorized access is also important. MFA provides multiple levels of protection for sensitive data. In addition to a password, identity must be verified by phone authorization, PIN, fingerprint, or another biometric method
  • Encryption – Data must be encrypted at rest and in transit to AES 256-bit standard

HIPAA Compliance in the Cloud is Not Just About Privacy and Security

Naturally, healthcare organizations will need to choose a HIPAA-compliant cloud vendor that provides a service to match their needs and budget, but HIPAA is not only concerned with protecting patient data from unauthorized access and ensuring no health information is manipulated in transit. The HIPAA Security Rule requires safeguards to be implemented “to ensure the confidentiality, integrity, and availability of PHI”. If HIPAA-covered data is moved to the cloud, it must be possible for that information to be accessed on demand, at all times. 

Your cloud vendor must therefore offer a reliable service with guaranteed uptime of near-100%. The additional safeguards that are implemented to improve cybersecurity protections should also not have a negative impact on performance. The cloud offering must perform well despite all the security safeguards put in place.

Other key benefit of the cloud are its scalability and flexibility. To ensure you get the most benefit out of your transition to the cloud, ensure you choose a cloud vendor that has a platform that’s capable of growing with your business and will be able to carry on meeting the needs of your business in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.