HIPAA Guidelines: Understanding Compliance in the Cloud 

Learn about the HIPAA guidelines and gain a better understanding of how you and your IT provider play a part in cloud compliance.

The international healthcare cloud computing market is projected to rise to a valuation of nearly $9.5 billion in 2020—an annual growth rate of 20.5%. For organizations that manage, store or transmit electronic protected health information (ePHI) and are entering the cloud market, staying abreast of the latest HIPAA guidelines is essential. Published in October 2016,  the U.S. Department of Health and Human Services’ (HHS) Guidance on HIPAA & Cloud Computing clarifies the responsibilities of covered entities (CEs), business associates (BAs), and cloud service providers (CSPs). Understanding compliance in the cloud can be the difference between running a successful business and closing your doors. 

You don’t have to take our word for it, though; you can view the OCR “wall of shame” online, including both CEs and BAs who did not follow HIPAA’s cloud guidelines, resulting in serious fines. Non-compliance due to ignorance will not save you from the legal and financial headaches

Explore the Connection Between HIPAA and Cloud Computing 

Let’s start with what exactly cloud computing encompasses: The National Institute of Standards and Technology’s (NIST) definition of cloud computing is a model giving users access to on-demand, convenience-driven, scalable, and flexible access to any shared computer resources, including hardware and software. In healthcare, cloud computing enables organizations to access, use, change, and grow ePHI databases efficiently for streamlined patient care.

The “Guidance on HIPAA & Cloud Computing” by the HHS provides precise information on maintaining HIPAA compliance while using cloud-computing services for storing, transmitting or managing ePHI. Health information, including personal identification information, medical records, and treatment protocols, represent a private and protected relationship between a patient and a medical service provider. In the wrong hands, the information could jeopardize equal opportunity, personal privacy, and patient control.

The HIPAA Security Rule and the update, “Guidance on HIPAA & Cloud Computing,” assign liability and clarify responsibilities for any organization using or offering cloud computing services.

Who Must Comply with Cloud Computing Rules?

The guidelines released in 2016 identify who falls into the categories of covered entities (CEs) and business associates (BAs). CEs hold the first level of responsibility as health plan providers, clearinghouses, and healthcare providers. The term BA includes all individuals and organizations that partner with or offer services to CEs. BAs are required to ensure protection to both CEs and HIPAA regulators. To clarify roles and responsibilities, the Office of Civil Rights (OCR) does consider all healthcare cloud service providers (CSPs) and CSP subcontractors as business associates. 

Under HIPAA guidelines, business associates must enter into a legally enforceable and HIPAA-compliant contract known as a business associate agreement (BAA). Regardless of the ePHI interaction, these guidelines place liability on CSPs for maintaining the terms of all BAAs and for complying directly with HIPAA terms. Even CSPs that handle encrypted data must maintain compliance and protect the data from cyberattacks, physical disasters, and other malfunctions.

Last year, the OCR entered a $400,000 HIPAA settlement with Care New England Health System, citing an insufficient business associate agreement. This one reminder that the responsibility of compliance is shared—your organization and your IT provider must carefully outline who is responsible for what and maintain up-to-date documentation. For instance, the demarcation point where the providers’ responsibility ends and yours begins can be at the OS level, and your agreement should note that information accordingly.

Review Guidelines Affecting Cloud Computing

Most HIPAA- compliant cloud service providers create service level agreements (SLAs) to address security, information disclosure, disaster recovery policies, and other specific data handling practices. As previously mentioned, collaborating with a HIPAA-compliant CSP does not transfer all security and risk management activities to the service provider.

Every covered entity and business associate must understand individual compliance and overlapping compliance concerns. As HIPAA business associates, CSPs must:

• Recognize separation of responsibility under the Security Rule. While CSPs must protect the data in their care, CSPs must also understand the separation of access and responsibility. Consumers who access their health records through a provider, for instance, bear some level of personal responsibility for using access best practices. CSPs must maintain compliance with access control, encryption standards, and other activities within the scope of the business associate arrangement.
• Not disclose ePHI unless permitted through the BAA, Privacy Rule, or other applicable laws. No-view and view CSPs must not restrict ePHI to covered entities or relevant consumers who hold access rights but must maintain data privacy standards to prevent illegal access.
• Comply with the breach notification rule. CSPs must provide affected covered entities or other contracted business associates with information about all unsecured ePHI breaches unless the incident qualifies as a “safe harbor” event and the organization followed recommended de-identification practices. In instances involving data protections that do not meet HIPAA standards, relevant parties must also inform affected consumers.

Covered entities should use business associate guidelines when evaluating, and choosing all cloud service providers for cloud software and hardware services.

Implement Best Practices for Compliance Today 

Organizations have struggled to transition from data center security—that’s more physical—to security in the cloud. In order for your cloud-based data to be secure, the data center in which it resides must also be secure, but also requires additional security functions.

Because the HHS does not offer recommendations or endorse a list of qualified vendors for covered entities, it’s up to you to do your due diligence. To choose an appropriate cloud service provider, use the following best practices:

• Conduct a risk assessment. Managed hosting providers should demonstrate complete compliance. For ePHI-handling services, public cloud solutions rarely offer the security and support a healthcare-covered entity needs. NIST suggests the following steps for healthcare risk management:
  • Categorize information systems
  • Identify and implement security controls
  • Access security controls
  • Authorize information systems
  • Monitor and adjust security controls
• Ask providers how they mitigate common cloud security mistakes. The OCR states that the three main mistakes in data security are lack of encryption, lack of transmission security (connecting multiple clouds and managing the security of that connection), and the use of unpatched or outdated software.
• Look for the major security and privacy assets in a vendor. Evaluate encryption, access control, log management, auditing, penetration testing, and disaster recovery planning before entering into a contract with a possible service provider.
• Begin each partnership with the right strategy. Develop a service definition, business associate agreement, and a service level agreement, to prioritize both compliance and successful business outcomes from the start. Before talking to service providers, identify the workflow changes you wish to see and the services that match your business goals. Then, search for providers who can match regulatory and service needs.

Compliance not only protects businesses from excessive regulatory fines—it also protects a company’s reputation and minimizes the risk of harm to your patients. Cloud computing offers technical agility and gives healthcare organizations a competitive edge in a rapidly advancing world. However, not all cloud computing service providers offer the same level of support, data security, and compliance expertise. Use our tips to understand how HIPAA governs CSPs and BAs to find a proven compliance-friendly provider that meets your usability requirements and compliance needs.

Additional Resources on This Topic

HIPAA and Cloud Computing Part I
5 Things to Know About HIPAA and Cloud Computing

This article was first published on OnRamp.