Though cloud service providers have long been known as HIPAA business associates, the passing of the HIPAA Omnibus Rule in 2013 made this clearer: “A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”
The HIPAA conduit exception rule does not apply to cloud service suppliers. Companies are only thought of as ‘conduits’ if they offer a transmission only communication services when access to communications is only transient in nature. Cloud service providers are not thought of as conduits, even if the service provider encrypts all data and does not hold the keys to remove the encryption.
Due to this, a business associate agreement must be completed with the cloud platform or service provider before the platform or service is used for storing, processing, or sending ePHI.
If the cloud service used solely for sharing or storing de-identified PHI, a BAA is not necessary. De-identified PHI is no longer PHI, once all identifiers have been removed from the data.
Cloud computing and HIPAA compliance are not at war with each other. You can take advantage of the cloud and even enhance security, but there are important considerations for any healthcare groups considering using cloud services for storing, sharing, processing, or backing up ePHI
1. Risk Analysis & Risk Management
Before using any cloud service it should be subjected to a risk assessment. HIPAA-covered groups and their business associates must carry out their own risk analysis and establish risk management policies.
2. Business Associate Agreements (B.A.A.)
Prior to using any cloud platform or service is relation to ePHI, the service provider and covered entity must complete a HIPAA-compliant business associate agreement. The use of a cloud service without a BAA in place is a breach of HIPAA Rules.
3. Service Level Agreements (SLA)
Along with a BAA, covered groups should consider a service level agreement (SLA) including more technical aspects of the service, which may or may not address HIPAA worries. The service level agreement can cover system uptime, reliability, data backups, disaster recovery processes, customer service response times, and data rescue or deletion when the BAA comes to an end. The SLA should also include the fines should performance fall short of what has been agreed.
4. Using Encryption
Any data shared using the cloud should be secured by end-to-end encryption, and any data stored in the cloud should be encrypted while stationary. Full considerations should be given to the level of encryption used by the CSP, which should meet NIST standards. While encryption is wise, it will not satisfy all Security Rule requirements and will not maintain the integrity of ePHI nor ensure its availability.
5. Using Access Controls
Covered groups must ensure that access controls are properly configured to ensure that only authorized people can access ePHI stored in the cloud. Before using of any cloud platform or service, the administrative and physical controls implemented by the cloud service provider should be carefully considered.
6. Available Data Storage Locations
Covered groups should determine the locations where data is saved and risks associated with those locations should be estimated during the risk analysis. Cloud service providers often store data in many locations to ensure fast access and rapid data recovery should a disaster happen. Data protection laws in foreign countries may differ quite a bit from those in the U.S.
7. Keeping an Audit Trail
Healthcare groups must have visibility into how cloud services are implemented, who is accessing cloud data, failed attempts to view cloud resources, and files that have been shared, uploaded, or downloaded. An audit trail must be kept and logs should be reviewed regularly.
Cloud Benefits for Healthcare Groups
Some of the key advantages for healthcare groups from transitioning to the cloud are:
- Connecting a public cloud with data centers allows healthcare groups to increase capacity without having to invest in additional hardware
- The cloud is very scalable – Capacity can be easily increased
- Healthcare groups can enhance security by avoiding transporting ePHI on portable devices such as zip drives, portable hard drives, and laptop computers. The loss and theft of portable devices is a major cause of HIPAA data violations
- The cloud makes sharing ePHI with partners, patients, and researchers simpler and quicker
- An unlimited amount of data backups can be stored in the cloud. Data can be rescued quickly in the event of disaster
- The cloud can help healthcare groups decommission legacy infrastructure and improve security
- The cloud allows healthcare groups to minimize their data center footprints
- Healthcare data can be safely accessed by authorized people in any location
- The cloud allows healthcare groups to offer and improve their telehealth services
- The cloud supports the creation of an edge computing system to lessen latency and speed up data access