A covered entity (CE) under HIPAA (for example, a healthcare provider or payor) needs to treat the cloud storage provider (CSP) as a business associate (BA). This means that CSPs storing PHI are subject to HIPAA and need to have appropriate administrative, physical and technical controls in place to address the requirements of the HIPAA Security Rule. Some in the regulated community had posited that a CSP could be considered a “mere conduit” (a recognized exception under the HIPAA regulations), but OCR made clear that this is not the case.
Once we describe a CSP as a BA, many other requirements flow naturally: The CE and the BA must have a business associate agreement (BAA) in place; the CE needs to understand the BA’s cloud environment for purposes of its own risk analysis; both the CE and BA need to hold up their ends of the bargain in terms of implementing security controls; and so on.
A HIPAA Compliance Checklist for Healthcare Cloud Storage
Beyond these considerations, there are some less obvious issues to consider:
Is your healthcare cloud actually storing patient health information?
De-identified data is not PHI, but encrypted PHI is still PHI. Most, if not all, commercial CSPs willing to sign a BAA with a CE will require that PHI be encrypted before being stored on the infrastructure.
What are a healthcare CSP’s obligations with respect to encrypted PHI?
The CSP is responsible, under the HIPAA regulations, for maintaining the integrity and availability of the PHI. That does not change if the PHI is encrypted.
What does a CE need to do to confirm that a healthcare CSP is in compliance?
A CE must confirm to its satisfaction that technical issues, such as potential malware attacks, are dealt with appropriately and that administrative and physical safeguards are in place regarding physical security and contingency planning (for example, data center redundancy to deal with potential natural disasters or other emergencies). Not everyone is welcome to inspect the cloud storage facilities, so CSPs commonly conduct third-party audits and share the reports (such as system and organization controls reports) with customers.
Is there anything else to consider?
A CE needs to confirm that a CSP’s service-level agreement does not conflict with HIPAA compliance. For example, if the SLA does not guarantee near-100 percent uptime, is the CE maintaining “availability” of PHI as it must? Does the SLA include sufficient protections against the potential effects of a ransomware attack?
Speaking of ransomware, should a CE maintain an “air-gapped” backup, separate from its main cloud instance, just in case? Does the CSP agreement provide adequate assurances that the CE’s access to its records, its patients’ PHI, will not be blocked or terminated? Where is the data center located? If it is offshore, that may be fine from a regulatory perspective, but be sure to think about how easy or difficult it may be to enforce your rights in a foreign justice system.
Keep Other Regulations in Mind When Storing PHI in the Cloud
Finally, it is important to remember that cloud storage of health data is not always, or only, a HIPAA issue.
Depending on the type of data, the parties involved, and the way in which they are contracting regarding the storage and use of the data, a number of other regulatory schemes may be implicated.
For example, it may be necessary to consider the Title 42 of the Code of Federal Regulations Part 2 approach to confidentiality, the Federal Trade Commission approach to regulating individual data privacy rights, individual states’ approaches to regulating the storage and use of health data, or even other countries’ approaches (for example, the European Union’s General Data Protection Regulation).
We can move PHI to the cloud, but compliance questions will follow us wherever we go.
The right partner can be key to helping you stay compliant in the cloud. >>> Learn more about selecting the right cloud provider and designing the perfect solution for your organization.