Hospitals, clinics, and other health organizations have had a bumpy road towards cloud adoption over the past few years. The implied security risks of using the public cloud or working with a third-party service provider considerably delayed cloud adoption in the healthcare industry.
Even today, when 84% of healthcare organizations use cloud services, the question of choosing the right cloud solution can be a headache.
Between looking at services offered and price points, healthcare institutions also need to consider vendors’ HIPAA compliance-readiness.
Namely, all health product or service providers whose clients’ data is stored in the U.S. are a subject to a set of security regulations by law. Known as HIPAA compliance, this set of regulations applies to not just medical and dental institutions but also some other sectors.
Today, any organization that handles confidential patient information needs to be HIPAA compliant. Whether it is data security storage or a business partnership, most companies working with healthcare institutions need to follow this standard.
What is HIPAA Compliance?
HIPAA standards provide security and protection of health data. Any vendor working with a healthcare organization or business handling health files must abide by the HIPAA privacy rules. There are also many ancillary industries that must adhere to the guidelines if they have access to medical and patient data. This is where cloud storage plays a significant role.
Most healthcare institutions use some form of electronic devices to provide medical care. This means that information no longer resides on a paper chart, but on a computer or in the cloud. Unlike general businesses or most commercial entities, health care institutions are legally obliged to employ the strongest data security practices.
So, how does this affect their choice of a cloud provider?
When planning their move to cloud computing, health care institutions need to ensure their vendor meets specific security criteria.
These criteria translate into requirements and thresholds that a company must meet and maintain to become HIPAA-ready. These come down to a set of certifications, audits, encryption levels, and physical security measures.
A HIPAA cloud storage services company also should work to make becoming compliant simple and straightforward. This way, healthcare organizations have one less thing to worry about and can focus on improving their critical processes.
History of The Health Insurance Portability and Accountability Act
Before we delve deeper into HIPAA compliance-ready cloud storage, let’s take a step back and define what HIPAA brings to the healthcare industry.
Enacted in 1996, the U.S. federal government’s Health Insurance Portability and Accountability Act aims to ensure the highest level of privacy for patient information. Providing guidelines on how this can be achieved, HIPAA created a legal groundwork for patient data protection.
At the time it was introduced, the act did not restrict the use of technology. As digital systems became more ubiquitous and as cloud grew more prevalent, the HIPAA rules adapted to these changes.
To achieve security compliance, an organization must undergo training in critical areas. Some of these are compliance, technical controls, backup management, and physical security.
Establishing procedures and making sure everyone understands and follows them takes significant resources.
The specific focus points for organizations overseeing private patient data must include:
- Access control
- Backup management
- Physical security
- Audit control
- System integrity
- Transmission security
Patient information maintained at a high level of security is only accessible to those with clearance. Companies or individuals who have not attained sufficient security clearance will not receive access. Procedures to protect customer privacy include:
- Defining safeguards to protect private patient data;
- Minimizing the number of touches, only accessing what is necessary;
- Establishing a needed purpose for each touch;
- Restricting the number of accounts that can access private customer data;
- Implementing education programs for all parties with access.
An important step towards enforcing these rules was made in 2009 with the Health Information for Technology for Economic and Clinical Health (HITECH) Act. Established to promote the adoption and meaningful use of technology in healthcare, this act extended the HIPAA regulation to cover IT-related aspects.
Besides that, the 2010 Omnibus rule refined how the HIPAA compliant storage requirements applied to entities like healthcare providers and their business partners. This rule made an important difference for the adoption of the cloud, as it addressed third-party HIPAA cloud storage provisioning.
What are HIPAA compliant storage requirements?
A cloud service provider doing business with a company operating under the HIPAA-HITECH act rules is considered a business associate. As such, it must show that it has a cloud compliance program and follows any relevant standards. Although the vendor does not directly handle patient information, it does receive, manage, and store Protected Health Information (PHI). This fact alone makes them responsible for protecting it according to HIPAA-HITECH act guidelines.
Being HIPAA compliant means implementing all of the rules and regulations that the Act proposes. Any vendor offering services that are subject to the act must provide documentation as proof of their conformity. This documentation needs to be sent not only to their clients but also to the Office for Civil Rights (OCR). The OCR is a sub-agency of the U.S. Department of Education, which promotes equal access to healthcare and human services programs.
Healthcare industry organizations looking to work with a HIPAA cloud storage provider should request proof of compliance to protect themselves. If the provider follows all standards, it should have no qualms about sharing the appropriate documentation with you.
HIPAA requirements for cloud storage organizations are the same as the requirements for business associates. They fall into three distinct categories: administrative, physical, and technical safeguards.
- Administrative Safeguards. These types of safeguards are transparent policies that outline how the business will comply from an operational standpoint. The operations can include risk management, assessments, appropriate procedures, disaster and emergency response, and managing passwords.
- Physical Safeguards. Physical safeguards are usually systems that are in place to protect customer data. They might include proper storage and backup and appropriate disposal of media at a data center. Necessary security precautions for facilities where hardware or software storage devices reside are also a part of this category.
- Technical Safeguards. This group of safeguards refers to technical features implemented to minimize data risk and maximize protection. Requiring unique login information, auto-logoff policies, and authentication for PHI access are just some of the technical safeguards that should be in place.
What Makes a Cloud Provider Compliant?
Providing HIPAA compliant cloud storage hardware or software is not as simple as flipping a switch. It takes a tremendous amount of time and effort for a company to become compliant.
The critical element to look for in a compliant cloud storage provider is its willingness to make a Business Associate Agreement. Known as a BAA, this agreement is completed between two parties planning to transmit, process, or receive PHI. Its main purpose is to protect both parties from any legal repercussions resulting in the misuse of protected health information.
A Business Associate Agreement must not add, subtract, or contradict the overall standards of the HIPAA. However, if both parties agree, supplementing specific terminology is acceptable. There are also some core terms that make up the groundwork for a compliant business associate agreement and must remain for the agreement to be considered legally binding.
The level of encryption enabled by the cloud provider needs proper attention.The company should be encrypting files not only in transit, but also at rest. Advanced Encryption Standard (AES) is the minimum level of encryption that it should use for file sharing and storage. AES is a successor to Data Encryption Standard (DES) and was developed by the National Institute of Standards and Technology (NIST) in 1997. It is an advanced encryption algorithm that offers improved defense against different security incidents.
HIPAA Security - How can I be Sure?
Cloud providers that take compliance seriously will ensure their certifications are current. There are several ways to check if they follow standards and relevant regulations.
One way is to audit your potential provider using an independent party. Auditing will bring any possible risks to your attention and reveal the vendor’s security tactics. Cloud storage providers must regularly audit their systems and environments for security threats to remain compliant. The term ‘regularly’ is not defined by the act, so it is essential to request documentation and information on at least a quarterly basis. You should also ensure you have constant access to reports and documentation detailing the most recent audit.
Another way to determine whether the company is compliant is to assess qualifications of its employees. All staff needs to be educated on the most current standards and get familiarized with specific safeguards. Only with these in place organizations can achieve compliance.
Ask your potential vendor tough questions. Anyone with access to PHI needs appropriate training on secure data transmission methods. Training needs to include the ability to protect patient information no matter where they are.
A HIPAA compliant company will not ask you for a backdoor to access your data or permission to bypass your access management protocols. Such vendors recognize the risk of requiring additional authentication or access points. Compromising access to authentication protocols and password requirements is a serious security violation and should never happen.
Selecting a HIPAA Compliant Data Storage Vendor
When choosing a HIPAA compliant provider, look for those that meet the measures outlined in the previous section. Make sure you ask them about their data storage security practices to how safe your PHI data will be.
Does the potential vendor offer a service level agreement?
An SLA contract indicates guaranteed response times to security threats, typically within a twenty-four-hour window. As a company dealing with PHI, you need to know how quickly the provider can notify you in the event of an incident. The faster you receive a breach notification, the more efficiently you can respond.
Don’t forget that your records will be stored in a secure data center. What are the security measures in place in case of security incidents? How is access to the facility determined? Ask for a detailed outline of how they implement and enforce physical security. Check how they respond in the event of a cloud security breach notification. Make sure you get all the relevant details before you bring your data to risk.
Your selected vendor should also have a HIPAA Disaster Recovery and Continuity Plan in place. A continuity plan will anticipate loss due to natural disasters, security breaches, and other unforeseen incidents. It will also provide necessary processes and procedures if or when such events occur. Concerning the data loss prevention plan, it is also essential to determine how often the proposed method undergoes rigorous testing.
Do they offer HIPAA compliant email?
Best Practices Frequently Asked Questions
Ask potential cloud vendors which method they use to evaluate your HIPAA compliance.
Is a HIPAA policy template available for use? Does the provider offer guidance and feedback on compliance? How are they ensuring that you are up to date and aware of security rules and regulations? Do they offer HIPAA compliant email?
Does the company have full-time employees on-premise?
Having a presence on site and available around the clock is a mechanism to ensure advanced security. An available representative makes PHI security more reliable and guarantees a quick response if needed. It also gives you peace of mind knowing that the company in charge of your data protection is thoroughly versed in the needed standards.
The right provider should also be quick to adapt to the changes and inform you of anything that directly affects your PHI or your access to it.
Data deletion is a crucial component to choosing the appropriate HIPAA business associate. How long is the information kept for a period before being purged? How is data leakage prevented when servers are taken out of commission or erased? Is the data provided to you before deletion? The act offers no guidelines concerning the required length of time, but it is an agreement you and your provider must reach together.
In addition to your own knowledge, determine how well your potential provider is versed in HIPAA regulations. Cloud companies often fail to follow the latest regulation changes, and you have to look for the one with consistent dedication.
Shop around. Do not be content with the first quote. Many companies tout their HIPAA security, only to discover that they fall short of the measuring stick. Do your research, ask questions, and determine which vendor best suits your needs.
What is the next step?
When it comes to protecting your PHI data, phoenixNAP will support your efforts with the highest service quality, security, and dependability.
We provide a selection of data centers which offer state-of-the-art protection for your medical files. With scalable cloud solutions, unsurpassed security, a 100% uptime guarantee, and unmatched disaster recovery, you can rest assured that your infrastructure is compliant.
HIPAA certification requirements can be confusing, complicated, and stressful.
You need to be able to trust your cloud provider to keep your files safe. PhoenixNap Global IT Services will allow you the freedom to focus your attention to other areas of your business and ensure the protection of your entities and business associates.