The “cloud”-a network of servers used for data storage-has seen widespread use in recent years. It offers a convenient and flexible way for organisations-including healthcare providers and other covered entities-to store files, in comparison to traditional data storage methods. However, before healthcare organisations can make use of these benefits, the question of is it possible to use cloud services and remain HIPAA compliant must be addressed.
Covered entities (CEs) can use private and secure cloud services which allow the organisation to tailor the service to their specific data storage needs. Due to the booming interest in cloud storage, there are now wide range of companies offering cloud based services to the healthcare industry.
However, any CE using the cloud must exercise extreme caution, especially when it comes to uploading data to these servers. HIPAA legislation has been updated since it was first introduced in 1996 to deal with this technology and the issues it brings.
Many healthcare providers have ventured into the cloud already and have implemented their own measures to ensure that PHI is secured. Today, several providers of cloud services are taking care of this aspect of the business and are offering “HIPAA compliant” cloud services. However, even if the service itself is “HIPAA compliant”, violations may still occur. It is the responsibility of the organisation to ensure that its employees use the service in a HIPAA compliant manner.
If you are considering using cloud services, it is important to find a Cloud Service Provider (CSP) that offers a standard-based cloud environment, and ensure that it can certify that it has implemented the security measures necessary to comply with HIPAA. The CSP will become a Business Associate, and will be required to comply with HIPAA and would need to be able to pass a compliance audit.
Choosing a CSP
Many different factors must be taken into consideration by a covered entity while choosing a CSP, in accordance with their specific security needs.
Controlling Access to PHI
It is essential that the CSP maintains control of any PHI that is placed in the cloud, as they are responsible for its security. They must be able exercise full access control when the data is stored. Only authorized individuals must be permitted to access the data, and that access must be limited to the minimum necessary information for any task to be performed. These controls must be fully documented; if a CSP can provide documentation, it must be able to stand up to a full compliance audit.
It is recommended that an organisation considering using cloud storage that they ask CSP if they are willing to prove compliance, and provide documentation demonstrating access controls are in place. They must further investigate who has access to the system, when they can access it and if anyone else who could potentially access stored data, including backups. Intense research into the CSP’s policies is a good measure to take to prevent HIPAA violations from occurring.
Method of Storing PHI
If an audit is performed on your organisation, you will be required to show where your data is stored. It is compulsory that you are always aware of the location of your data, so it is pertinent that find out from the CSP exactly where their servers are located. You should only use cloud service providers with servers based in the United States. Data stored on servers in other countries could be subject to the laws in those countries, which may not offer the same level of protection as in the United States.
Any cloud service in which several customers share a virtual instance of a software application should be avoided for security reasons. Many companies offer this architecture, as it saves on costs on their part. However, it rarely provides the necessary protections to prevent customers from accessing each other’s data.
It is also essential to encrypt data both at rest and in transit. This includes all data stored in backups. It is essential that inventory control is maintained on all devices used to store that PHI.
According to HIPAA legislation, PHI must still be accessible the event of a power outage, natural disaster or other emergency. Data must always be made accessible, and it must be possible to restore any accidentally deleted or corrupted data. Restoration from backups must be tested and documentation obtained to cover disaster recovery processes.
Business Associate Agreements
Once your organisation has completed a thorough risk assessment regarding the use of a CSP, and you are sure that the service offers all the necessary safeguards to protect PHI and personal identifiers of patients and plan members, a Business Associate Agreement must be signed by both parties for HIPAA compliance to be achieved. This is a piece of documentation stating the obligations of each party, and it must be signed before access to data is provided.