HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance and the Cloud

The cloud offers many advantages to healthcare providers and other covered entities. It is possible to use cloud services and remain HIPAA compliant; however, it can be a long and arduous process to obtain all the necessary documentation to confirm that is the case, and if you can’t, you could end up violating HIPAA Regulations.

The cloud is convenient and flexible. Covered entities (CEs) can use private and secure cloud services which allow a great deal of customization and there are now a wide range of companies offering cloud based services to the healthcare industry; an industry that has traditionally lagged behind others when it comes to adopting new IT technology.

However, any CE using the cloud must exercise extreme caution, especially when it comes to moving data to and it. This is an area well covered by HIPAA regulations.

Many healthcare providers have ventured into the cloud already and have implemented their own measures to ensure that PHI is secured. Today, a number of providers of cloud services are taking care of this aspect of the business and are offering “HIPAA compliant” cloud services. Exercise some caution as no product or service can be HIPAA-compliant. Only the organization that uses it can be.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

If you are considering using cloud services, it is important to find a Cloud Service Provider (CSP) that offers a standard-based cloud environment, and ensure that it can certify that it has implemented the security measures necessary to comply with HIPAA. The CSP will become a Business Associate, and will be required to comply with HIPAA and would need to be able to pass a compliance audit.

Choosing a CSP

The following factors must be assessed before a CSP is chosen:

Controlling Access to PHI

It is essential to maintain control of any PHI that is placed in the cloud, and to exercise full access control when the data is stored. Only authorized individuals must be permitted to access the data, and that access must be limited to the minimum necessary information for any task to be performed. All of these controls must be fully documented; if a CSP can provide documentation, it must be able to stand up to a full compliance audit.

You should ask any CSP if they are willing to prove compliance, and provide documentation demonstrating access controls are in place: Who has access to the system, when they can access it and if anyone else who could potentially access stored data, including backups.

Where is Your PHI going to be Stored?

In an audit you will be required to show where your data is stored. You must know the location of your data at all times, so you must therefore find out from the CSP exactly where their servers are located. You should only use cloud service providers with servers based in the United States. Data stored on servers in other countries could be subject to the laws in those countries, which may not offer the same level of protection as in the United States.

Data Encryption

You should avoid any cloud service where several customers share a virtual instance of a software application. Many companies offer this architecture as it saves on costs, but it rarely provides the necessary protections to prevent customers from accessing each other’s data.

It is also essential to encrypt data both at rest and in transit. This includes all data stored in backups. It is essential that inventory control is maintained on all devices used to store that PHI.

Disaster Recovery

In the event of a power outage, natural disaster or other emergency, access to PHI must not be prevented. Data must be made accessible at all times and it must be possible to restore any accidentally deleted or corrupted data. Restoration from backups must be tested and documentation obtained to cover disaster recovery processes.

Business Associate Agreements

Once you are sure that the service offers all the necessary safeguards to protect PHI and personal identifiers of patients and plan members, a Business Associate Agreement must be signed by both parties stating the obligations of each, before access to data is provided.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.