As healthcare professionals continue to embrace digital technologies to safeguard their patients’ information, there is an industrywide need to ensure digital ecosystems are compliant with the Health Insurance Portability and Accountability Act.
This is particularly true as healthcare providers pivot to cloud storage, in addition to on-premises options. This move can help them prepare for precision medicine and population health, which requires reams of data and a complex infrastructure for analytics and storage — all of which can be best accomplished in the cloud.
While cloud storage can be helpful and healthcare cloud adoption has grown exponentially, a survey conducted by Bitglass found it is trailing behind other industries thanks to HIPAA regulations. By gaining a better understanding of how to store data effectively, securely and compliantly in the cloud, providers can take the first steps to catching up with other industries.
The Basics of HIPAA-Compliant Cloud Storage
While many in the industry may rail against “antiquated” HIPAA rules, it is worth noting that they are extraordinarily flexible. They may have been written before the realities of application programming interfaces and cloud computing, but that does not mean that HIPAA cannot accommodate new technological developments. If one were to insist on new rules every time technology advances, we would be perpetually rewriting rules and never catch up.
The Department of Health and Human Services’ Office of Civil Rights (OCR) has done a good job over the years in terms of releasing guidance documents that help explain the applicability of HIPAA regulations to real-world situations. Today’s example is the 2016 OCR guidance on cloud computing. It frames the issues that the regulated community needs to consider when employing cloud computing for storing, using or sharing protected health information (PHI) in a HIPAA-compliant manner.
A covered entity (CE) under HIPAA (for example, a healthcare provider or payor) needs to treat the cloud storage provider (CSP) as a business associate (BA). This means that CSPs storing PHI are subject to HIPAA and need to have appropriate administrative, physical and technical controls in place to address the requirements of the HIPAA Security Rule. Some in the regulated community had posited that a CSP could be considered a “mere conduit” (a recognized exception under the HIPAA regulations), but OCR made clear that this is not the case.
Once we describe a CSP as a BA, many other requirements flow naturally: The CE and the BA must have a business associate agreement (BAA) in place; the CE needs to understand the BA’s cloud environment for purposes of its own risk analysis; both the CE and BA need to hold up their ends of the bargain in terms of implementing security controls; and so on.
A HIPAA Compliance Checklist for Healthcare Cloud Storage
Beyond these considerations, there are some less obvious issues to consider:
Is your healthcare cloud actually storing patient health information?
De-identified data is not PHI, but encrypted PHI is still PHI. Most, if not all, commercial CSPs willing to sign a BAA with a CE will require that PHI be encrypted before being stored on the infrastructure.
What are a healthcare CSP’s obligations with respect to encrypted PHI?
The CSP is responsible, under the HIPAA regulations, for maintaining the integrity and availability of the PHI. That does not change if the PHI is encrypted.
What does a CE need to do to confirm that a healthcare CSP is in compliance?
A CE must confirm to its satisfaction that technical issues, such as potential malware attacks, are dealt with appropriately and that administrative and physical safeguards are in place regarding physical security and contingency planning (for example, data center redundancy to deal with potential natural disasters or other emergencies). Not everyone is welcome to inspect the cloud storage facilities, so CSPs commonly conduct third-party audits and share the reports (such as system and organization controls reports) with customers.
Is there anything else to consider?
A CE needs to confirm that a CSP’s service-level agreement does not conflict with HIPAA compliance. For example, if the SLA does not guarantee near-100 percent uptime, is the CE maintaining “availability” of PHI as it must? Does the SLA include sufficient protections against the potential effects of a ransomware attack?
Speaking of ransomware, should a CE maintain an “air-gapped” backup, separate from its main cloud instance, just in case? Does the CSP agreement provide adequate assurances that the CE’s access to its records, its patients’ PHI, will not be blocked or terminated? Where is the data center located? If it is offshore, that may be fine from a regulatory perspective, but be sure to think about how easy or difficult it may be to enforce your rights in a foreign justice system.
Keep Other Regulations in Mind When Storing PHI in the Cloud
Finally, it is important to remember that cloud storage of health data is not always, or only, a HIPAA issue.
Depending on the type of data, the parties involved, and the way in which they are contracting regarding the storage and use of the data, a number of other regulatory schemes may be implicated.
For example, it may be necessary to consider the Title 42 of the Code of Federal Regulations Part 2 approach to confidentiality, the Federal Trade Commission approach to regulating individual data privacy rights, individual states’ approaches to regulating the storage and use of health data, or even other countries’ approaches (for example, the European Union’s General Data Protection Regulation).
We can move PHI to the cloud, but compliance questions will follow us wherever we go.
The right partner can be key to helping you stay compliant in the cloud. Learn more here about selecting the right cloud provider and designing the perfect solution for your organization.