Cloud solutions are quickly becoming the new norm for the way businesses operate today. Many companies are moving from legacy software systems to online “hosted” alternatives, such as SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) or IaaS (Infrastructure-as-a-Service). The benefits benefits of cloud-based solutions over desktop software are wide ranging, affecting everything from productivity to data security. Healthcare organizations also need to take the appropriate precautions to ensure that they have a HIPAA compliance cloud.
It makes sense to see why so many organizations are adopting cloud-based solutions–improved efficiency, flexibility, cost reduction, mobility, as well as around the clock support are all driving forces behind the growth of cloud services.
Yet, HIPAA compliance cloud services also raise some concerns in regards to security and compliance, which go hand-in-hand to help organizations keep their sensitive healthcare data safe. For businesses operating in the healthcare industry, which accounts for approximately one fifth of the US economy, these concerns escalate due to HIPAA regulatory requirements that mandate the privacy and security of patients’ protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, Social Security numbers, phone numbers, medical records, and full facial photos, to name a few.
HIPAA applies to covered entities, such as providers and insurance plans, as well as business associates who perform certain functions for, or on behalf of another health care organization that involves receiving, maintaining, or transmitting PHI.
For example, a cloud service provider (CSP) who is involved in handling PHI for a covered entity whether it is data storage or a complete software solution such as a hosted electronic medical record system, are still considered a business associate and need to implement a HIPAA compliance cloud.
HIPAA Compliance in the Cloud
In a nutshell, both covered entities and business associates need a HIPAA compliance cloud that allows for the creation of an effective compliance program. The Department of Health and Human Services (HHS) released a detailed, five-step guidance on cloud computing that parties must adhere to in order to maintain HIPAA compliant relationships. This HHS guidance on HIPAA compliance cloud services, includes:
- Execute a Business Associate Agreement– A business associate agreement outlines what business associates can and cannot do with the PHI they access, how they will protect that PHI, how they will prevent PHI disclosure, and the appropriate method for reporting a breach of PHI if one would occur. It also defines liability in the event of a data breach.
- Conduct a HIPAA Security Risk Assessment– The covered entity or business associate that works with a cloud service provider must document the cloud computing environment and security solutions put in place by the cloud service provider as part of their risk management policies.
- Abide by the HIPAA Privacy Rule– A covered entity must enforce proper safeguards in order to keep PHI safe and information can only be disclosed to a business associate after a business associate agreement has been executed.
- Implement HIPAA Security Safeguards– A business associate must comply with all three key security safeguards outlined in the HIPAA Security Rule: Physical, Technical and Administrative.
- Adhere to the HIPAA Breach Notification Rule- In the event of a data breach, covered entities and business associates are required to document and investigate the incident. All breaches must be reported to HHS OCR. All affected parties must be notified as well.
The only exception to the Breach Notification Rule is if the data was properly encrypted. If, for example, a properly encrypted device containing PHI goes missing, then there is a low probability that the data will be accessible by an unauthorized user. In this case, a breach will not have to be reported under the provisions of the Breach Notification Rule. However, it is crucial that all HIPAA covered entities and business associates read the standards outlined in the regulation to determine the proper level of HIPAA encryption for different modes of data storage and transmission.
If a covered entity does not execute a Business Associate Agreement with a third party vendor with whom they share PHI, both organizations are leaving themselves exposed to significant risk of HIPAA violations.
A HIPAA Compliant Cloud Will Save You Money
Data breaches are very costly–not only due to monetary penalties, but also because of the long-lasting reputational damage a breach can have on an organization.
HIPAA breach fines can range anywhere from $100 to $50,000 per violation or record, with up to a maximum of $1.5 million per violation. When multiple violations or a large scale data breach occurs, these fines can compound and lead to millions of dollars in HIPAA fines. As if that isn’t bad enough, breaches are publicly listed on the “Wall of Shame,” maintained and enforced by HHS OCR. This list shows all HIPAA breaches affecting 500 or more individuals. Even worse, some HIPAA violations can lead to criminal charges, carrying the potential for jail time.
In order to avoid violations and fines, healthcare providers and business associates must comply with HIPAA regulations which means protecting the security and privacy of their patients.
Compliancy Group Can Help!
Compliancy Group helps healthcare professionals and business associates effectively address their HIPAA compliance with our cloud-based app, The Guard. The Guard allows users to achieve, illustrate, and maintain compliance, addressing everything that the law requires.
Users are paired with one of our expert Compliance Coaches. They will guide you through every step of the process and answer any questions you may have along the way. Compliancy Group simplifies compliance so you can get back to confidently running your business.
And in the event of a data breach or HIPAA audit, our Audit Response Team works with users through the entire documentation and reporting process. At Compliancy Group, we go above and beyond to help demonstrate your good faith effort toward HIPAA compliance. Find out more today!