In their search for a low-cost way to provision the complex IT infrastructure and HIPAA-compliant applications, storage, and networking solutions needed to support a variety of core organizational functions, more and more healthcare providers are turning to the cloud.
The HIPAA-compliant cloud offers several benefits to players in the healthcare industry ranging from expanded storage and significant cost savings to custom applications and remote file sharing. This gives providers the ability to create a scalable, future-proof IT infrastructure for their operations.
With cloud computing rapidly becoming the de facto IT infrastructure standard in healthcare settings, it’s essential that IT decision-makers understand and trust the cloud solutions they implement while ensuring that they comply with HIPAA regulations.
HIPAA Requirements that Healthcare Cloud Providers Must Meet
The following are some of the cloud service models available to healthcare providers:
- Infrastructure-as-a-service (IaaS)
- Platform-as-a-service (PaaS)
- Software-as-a-service (SaaS)
- Identity and access management-as-a-service (IDaaS)
- Mobile backend-as-a-service (MBaaS)
- Managed software-as-a-service (MSaaS)
- Analytics-as-a-service (AaaS)
No matter the level of cloud adoption or type of model they choose to deploy, healthcare organizations should ensure that their cloud infrastructure has the same HIPAA protections as their on-premises systems.
To make their offerings even more attractive to healthcare organizations, many cloud service vendors infuse their solutions with additional protocols, stricter access controls, and extra security layers to deliver on HIPAA compliance requirements.
However, care must be taken when choosing cloud providers since some may offer tools in collaboration with other vendors. While the primary vendor may be HIPAA compliant, this compliance doesn’t necessarily extend to other collaborating vendors, leading to a product mix of HIPAA compliant and non-compliant tools. Under the HIPAA Omnibus Rule, business associates – any third-party organizations, subcontractors, and other entities that touch or transmit protected health information (PHI) – are subject to the same privacy and security requirements as covered entities.
Therefore, the burden lies on healthcare organizations to manage the physical and logistical security of their infrastructure by implementing controls and choosing cloud solutions that comply with HIPAA regulations throughout the full lifecycle of PHI.
To ensure that their cloud environments are HIPAA compliant, healthcare organizations should look for cloud providers that meet the following criteria.
Ease of data migration
Compliance with the HIPAA Privacy Rule means that cloud vendors must provide healthcare clients with the ability to extract the medical information stored on its servers on termination of its hosting/service agreement. Although major cloud players like Google, Amazon, and Microsoft provide users with the ability to easily download, export, and migrate copies of patients’ data, healthcare organizations should ensure that their preferred cloud provider has such protocols in place.
Willingness to sign a business associate agreement
Under HIPAA, any entity that provides certain services to or performs activities or functions for a covered entity involving the creation, maintenance, receipt, or transmission of PHI is regarded as a business associate. The covered healthcare organization should ensure that they enter into a HIPAA-compliant business associate agreement (BAA) with such entities (cloud providers).
Such an agreement renders the entity contractually liable for adhering to the terms of the BAA and directly liable for ensuring compliance with all applicable requirements of HIPAA. Consequently, cloud service vendors that are unwilling to sign a BAA should not be considered as possible partners by healthcare organizations looking for HIPAA cloud compliant solutions.
PHI protection and security practices
HIPAA mandates that healthcare information hosted on cloud data centers must be encrypted both in transit and at rest. Also, there must be a protocol for auditing and tracing data and system access at all times. While most cloud vendors typically embed data encryption capabilities in their offerings, healthcare organizations can implement additional security safeguards by restricting system and data access to only authorized personnel.
As a general rule of thumb, apply the principle of least privilege: employees should be given access only to the data necessary to perform their job functions, and nothing more.
High availability to ensure ready access to patient health records
HIPAA stipulates that all systems and solutions hosting protected health information should offer high reliability and availability. IT decision-makers should review the uptime score of their cloud service providers and ensure that their contracts contain service-level agreements. By using a reliable cloud solution with high uptimes, you’ll ensure that providers have access to patient data when they need it.
While cloud computing enables scalable, fast-paced healthcare environments and makes it easier for healthcare organizations and professionals to collaborate effectively, it comes with unique privacy and security concerns. These concerns make HIPAA compliance a serious consideration for organizations looking to incorporate cloud services and solutions into their IT infrastructure. To ensure compliance with HIPAA regulations, healthcare organizations must do due diligence when reviewing cloud solutions and only choose vendors that offer HIPAA compliant options for healthcare settings.