What to Look For With HIPAA Certified Cloud Services: Who Needs them?
The HIPAA regulations divide businesses into two groups based on how they interact with protected health information (PHI):
Covered Entities (CE): Healthcare providers, health plans, and healthcare data clearinghouses fall into this category. These companies use PHI for treatment, billing, and data analysis to support those activities. Covered entities like doctors and insurance companies will create PHI during their everyday activities.
Business Associates (BA): If a company takes possession of PHI to provide support services to CEs or other BAs, they are considered a business associate. Electronic health record services, managed service providers, third-party billers, and print/mailing firms that send statements to patients are some common examples of BAs.
BAs must follow HIPAA’s Privacy Rule, Security Rule, and the HITECH Omnibus Rule, including breach notification and the protection of PHI in physical or electronic (ePHI) formats.
Organizations must sign Business Associate Agreements (BAAs) before transmitting PHI. The goal is to create an unbroken chain of HIPAA compliance in any place where PHI may be stored or used.
The specific ways each group can interact with PHI differ from company to company, but every organization must share the requirement to be HIPAA compliant.
Determining Cloud HIPAA Compliance: Fear and Opportunity
By now, most people are aware of cloud-based data and operations. Users have shared access to applications, servers, and services, through internet-based computing that provides data to connected devices on demand. A cloud-based system should enable easier collaboration and data sharing while offering better remote system management tools.
While many businesses were quick to embrace cloud services, concerns regarding HIPAA compliance caused the healthcare industry to lag. Cloud service providers hoping to market to HIPAA-compliant organizations successfully must offer services that meet the same regulatory HIPAA standards as their potential customers.
What to Look For With HIPAA Certified Cloud Services: Saas, PaaS, IaaS
To the uninitiated, cloud computing can seem like a swamp of acronyms and confusing services. Here’s a quick overview and explanation of three of the most common terms.
Software-as-a-Service (SaaS): The most basic form of cloud computing, SaaS offers centrally stored data accessed by users through a web browser. SaaS providers include services such as Gmail or an interface reached via a web browser. SaaS solutions work well for organizations with smaller IT departments because the vendor performs most of the maintenance and upkeep of the solution.
Health IT functions that are a perfect fit for SaaS solutions include electronic health records (EHRs), medical practice management systems, and health information exchange (HIE).
Platform-as-a-Service (PaaS): Offering more control over cloud environments, PaaS provides an application hosting environment that allows organizations to build and deploy custom applications without developing or maintaining the infrastructure.
Users access healthcare data through a custom app instead of a web browser, and the vendor maintains the operating system and network. Mid-sized to large organizations with dedicated developers benefit most from PaaS.
Infrastructure-as-a-Service (IaaS): For those seeking a comprehensive cloud approach, IaaS provides organizations with storage, networks, and other fundamental computing resources to deploy and run arbitrary software, such as operating systems and applications. The organization does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications.
Large institutions such as health systems, hospitals, and medical groups that need the highest control over their computing environment are likely to engage in IaaS, but doing so requires a skilled IT staff.
What to Look For With HIPAA Certified Cloud Services: Check the Details
If you decide to explore the world of cloud computing, there are a few things to keep in mind:
Is the cloud service provider HIPAA compliant? Compliancy Group offers automated HIPAA compliance solutions to cloud service providers, just like we do covered entities and other business associates. We also provide third-party verification of an organization’s compliance status, so you know you’re dealing with someone who understands the importance of protecting PHI.
Are all of their applications and services HIPAA compliant? You may think this is an odd question. If an organization is HIPAA compliant, wouldn’t that mean that everything they do is HIPAA compliant?
The answer is not as clear-cut. While one of the advantages of a cloud provider is the ability to build a solution to fit a client’s needs, each part of that solution must also handle PHI data in a HIPAA-compliant manner. Cloud HIPAA compliance is partially dependent on whether or not the provider signs a BAA for a particular service. If they offer a service that will not sign a BAA, that could jeopardize the compliance of the entire solution.
If you need further guidance about HIPAA compliant cloud service providers, Compliancy Group offers a list of endorsed companies providing a wide range of services to its clients. It’s one more way Compliancy Group helps you achieve and maintain HIPAA compliance.