Share this article on:
Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure.
Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed.
A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level.
It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform provider.
Cloud Service Providers are HIPAA Business Associates
A HIPAA business associate is any person or entity who performs functions on behalf of a covered entity, or offers services to a covered entity that involve access being provided to protected health information (PHI).
The HIPAA definition of business associate was modified by the HIPAA Omnibus Rule to include any entity that “creates, receives, maintains, or transmits” PHI. The latter two clearly apply to providers of cloud computing platforms.
Consequently, a covered entity must obtain a signed business associate agreement (BAA) from the cloud platform provider. The BAA must be obtained from the cloud platform provider before any PHI is uploaded to the platform. A BAA must still be obtained even if the platform is only used to store encrypted ePHI, even if the key to unlock the encryption is not given to the platform provider. The only exception would be when the cloud platform is only used to store, process, maintain or transmit de-identified ePHI.
The BAA is a contract between a covered entity and a service provider. The BAA must establish the allowable uses and disclosures of PHI, state that appropriate safeguards must be implemented to prevent unauthorized use or disclosure of ePHI, and explain all elements of HIPAA Rules that apply to the platform provider. Details of the contents of a HIPAA-compliant BAA can be obtained from the HHS on this link.
Cloud computing platform providers and cloud data storage companies that have access to PHI can be fined for failing to comply with HIPAA Rules, even if the service provider does not view any data uploaded to the platform. Not all cloud service providers will therefore be willing to sign a BAA.
A BAA Will Not Make a Covered Entity HIPAA Compliant
Simply obtaining a BAA for a cloud computing platform will not ensure a covered entity is compliant with HIPAA Rules. HIPAA Rules can still be violated, even with a BAA in place. This is because no cloud service can be truly HIPAA compliant by itself. HIPAA compliance will depend on how the platform is used.
For example, Microsoft will sign a BAA for its Azure platform; but it is the responsibility of the covered entity to use the platform in a HIPAA-compliant manner. If a covered entity misconfigures or fails to apply appropriate access controls, it would be the covered entity that is in violation of HIPAA Rules, not Microsoft. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Penalties for Cloud-Related HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights has already settled cases with HIPAA-covered entities that have failed to obtain business associate agreements before uploading PHI to the cloud, as well as for risk analysis and risk management failures.
St. Elizabeth’s Medical Center in Brighton, Mass agreed to settle its case with OCR in 2015 for $218,400 for potential violations of the HIPAA Security Rule after PHI was uploaded to a document sharing service, without first assessing the risks of using that service.
Phoenix Cardiac Surgery also agreed to settle a case with OCR for failing to obtain a business associate agreement from a vendor of an Internet-based calendar and email service prior to using the service in conjunction with PHI. The case was settled for $100,000.
In 2016, OCR settled a case with Oregon Health & Science University for $2.7 million after it was discovered ePHI was being stored in the cloud without first obtaining a HIPAA-compliant business associate agreement.
Use of the Cloud by Healthcare Organizations
An increasing number of healthcare organisations are taking advantage of the cloud and cloud services. In January 2017, HIMSS Analytics studied use of the cloud at 64 healthcare organizations of all sizes. The survey showed 65% of healthcare organizations are now using the cloud or cloud services, including smaller hospitals (<50 beds).
The biggest area of growth is the use of software-as-a-service (SaaS), jumping from 20% in 2014 to 88% in 2016, followed by disaster recovery, up from 42% to 61%, and use of the cloud for hosting clinical applications, which increased from 52% to 63%.
A HIMSS/ClearData survey was also conducted on 50 respondents from the largest healthcare organisations in the United States (20% – 101-250 beds, 32% – 252-500 beds, 36% 500+ beds). 84% of those organizations are currently using cloud services, with 74% planning to move existing or new workloads to the cloud.
Out of the large healthcare organizations that have already adopted cloud services, 85.7% did so for IT (including backups, desktop and server virtualization, hosting archived data), 81% for administrative functions (financial, operational, HR and back office applications and data), 57% for analytics and 40.5% for clinical applications and external data sharing.
For large organizations, the most common uses of the cloud are for hosting analytics applications and data (48%), hosting financial applications and data (42%), for operational applications and data (42%) and HR applications and data (40%). 38% were using the cloud for disaster recovery and backups.
When asked to rate the top factors that were considered when choosing a cloud service provider, top of the list was adherence to regulatory requirements such as HIPAA and HITECH, rated in the top three by 54% of organizations, followed by the willingness to meet BAA requirements (38%) and technical security (32%). In terms of security, the biggest cloud vendors are perceived to be the best choice as they can afford to hire the very best staff and can devote huge resources to ensuring their platforms are secure.
Microsoft Azure and Amazon AWS are the most commonly chosen platforms, and also the most highly rated according to the HIMSS Survey. Amazon has long been the leading cloud service provider, although Microsoft appears to be catching up according to this comparison of Azure and AWS.
The main benefits to healthcare organizations of migrating to the cloud were: Performance and reliability, ease of management, total cost of ownership, and infrastructure agility.
While there are clear benefits, use of the cloud is not without challenges. The biggest challenges for healthcare organizations were seen as cost/fees (47.6%), customer service (33.3%), migration of data and services (26.2%), and availability and uptime (23.8%).