HIPAA Privacy and Security Rules:
HIPAA Cloud Requirements
Cloud computing makes it easy to share information with multiple users from any location. Working with cloud technology gives organizations the convenience of being able to access their data from anywhere at any time. An employee no longer needs to be at the office to access data. With this convenience, however, comes some unforeseen complications. When choosing a HIPAA cloud provider, healthcare organizations must ensure that HIPAA privacy and security rules have been met.
Do Cloud Providers Have Sufficient Security in Accordance with HIPAA?
HIPAA privacy and security rules mandate that healthcare organizations adequately safeguard protected health information (PHI). Cloud providers may be able to offer more security for sensitive data than traditional on-site servers. However, not all cloud providers are HIPAA compliant, organizations must vet cloud providers before they work with them to ensure their HIPAA compliance.
- Security Standards
HIPAA compliant hosting service will have administrative, technical, and physical safeguards in place to protect PHI.
The following should be in place to meet HIPAA privacy and security rules:
- Data Security: standards in how data is stored, removed, and transferred must be in place. Data should be encrypted to ensure that only authorized users have access to PHI.
- System Security: servers must be capable of being segregated so that each client’s information is stored separately ensuring that data cannot be accessed by unauthorized individuals.
- Structural Security: there must be strict security measures to protect the physical site where cloud data centers are held.
- Maintenance: cloud providers must continually update infrastructure to keep up with HIPAA privacy and security rules.
- HIPAA Compliance and Data Governance
- Business Associate Agreement (BAA): healthcare organizations must sign a BAA with any vendor they are working with before any PHI can be transmitted or maintained. A BAA limits the liability of each party as it establishes rules and responsibilities each party must adhere to.
- Data Location: healthcare data cannot be held outside of the United States, before an organization decides which HIPAA cloud provider to use they must determine where the cloud provider’s data servers are located.
- Auditable: a security risk assessment (SRA) must be conducted by any vendor servicing a healthcare client. An SRA determines whether or not PHI is adequately safeguarded and identifies areas in which security measures are insufficient.
- Business Continuity: HIPAA cloud vendors must have secure offsite backup and data protection capabilities.
Business Associate Agreements and Accountability
A good business associate agreement (BAA) will establish a level of service that the vendor is agreeing to maintain. Additionally, responsibilities should be established. For example, in the event of a data breach, which party will be responsible for reporting the incident.
Organizations should also consider:
- Managed Service: within the BAA, cloud vendors will agree to a level of service management. Provisions usually include upgrading technology as needed, ensuring the maintenance required to safeguard PHI is done routinely. Technical support and monitoring may also be included.
- Service Level Agreements (SLA): a level of service must be maintained, if the vendor fails to do so they may face a financial penalty. An SLA should include Recovery Time Objective, Recovery Point Objective, and Service Uptime.
Other Services and Technology from HIPAA Cloud Providers
Finding the right HIPAA cloud provider can offer healthcare organizations a multitude benefits. Although many healthcare providers choose vendors that offer Infrastructure as a Service (IaaS) or Platform as a Service (PaaS), there are many more service healthcare organizations can take advantage of.
Other services that HIPAA cloud providers may be able to offer an organization include:
- Managed Backup Service: to prevent the loss of patient information, HIPAA requires healthcare organizations to backup their data.
- Managed Disaster Recovery (DR): in the event of a disaster or data breach, DR enables organizations to restore their data. This reduces the disruption to service ensuring business-as-usual can continue.
- 24/7 Operational Support: the ability to have 24/7 support, gives an organization peace of mind that should an issue arise, they will be able to address it immediately.
- Managed Network Services: technological infrastructure can be difficult for organizations without an IT department to maintain. Firewalls and technology managed by a HIPAA cloud provider gives an organization the confidence that their computer network is reliable.
- Migration Services to the Cloud: since healthcare organizations work with vast amounts of information it is important to know if the cloud provider they are working with can fast-track the migration of data to the cloud. This way if they choose to use a different HIPAA cloud provider in the future, data can be quickly transferred for easy access.
- Data Monitoring: keeping track of who is accessing data and when, ensures that unauthorized individuals are not accessing PHI.
- Intrusion Detection: protects computer hardware by alerting the cloud provider when a network is accessed without authorization. The vendor can then notify the organization that their data may have been compromised.
- Multi-Factor Authentication (MFA): uses a password in combination with another identifier to give access to information such as PIN, fingerprint, or phone authorization. This prevents unauthorized users, that may have an employee’s password, from accessing sensitive data.
- Encryption: the Department of Health and Human Services (HHS) recommends that healthcare organizations encrypt their data. Encryption masks data, making it unreadable, protecting PHI in the event of a breach.
Do You Need Help Vetting Your HIPAA Cloud Provider?
Compliancy Group gives healthcare providers and vendors working in healthcare the tools to confidently address their HIPAA compliance in a simplified manner. Our cloud-based HIPAA compliance software, the GuardTM, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and MSP security partners from across the country, who can be contracted to handle your HIPAA cybersecurity protection.