Cloud Computing Platforms & HIPAA Compliance

If cloud services are to be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure before they are implented.

Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed.

A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level.

It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform provider.

Cloud Service Providers = HIPAA Business Associates

A HIPAA business associate is any individual or entity who performs functions on behalf of a covered entity, or offers services to a covered entity that involve access being provided to secured health information (PHI).

The HIPAA definition of business associate was amended by the HIPAA Omnibus Rule to include any entity that “creates, receives, maintains, or transmits” PHI. The latter two clearly apply to suppliers of cloud computing platforms.

Due to this, a covered entity must obtain a signed business associate agreement (BAA) from the cloud platform supplier. The BAA must be obtained from the cloud platform provider before any PHI is save using the platform. A BAA must still be obtained even if the platform is only used to store encrypted ePHI, even if the key to remove the encryption is not given to the platform provider. The only exception to this would be when the cloud platform is only used to store, process, maintain or transmit de-identified ePHI.

The BAA is a legal agreement between a covered entity and a service provider. The BAA must establish the allowable uses and disclosures of PHI, state that appropriate safeguards must be implemented to stop unauthorized use or disclosure of ePHI, and explain all elements of HIPAA Rules that apply to the platform provider. Details of a HIPAA-compliant BAA can be obtained from the HHS on this link.

Cloud computing platform suppliers and cloud data storage companies that have access to PHI can be fined for not adhering with HIPAA Rules, even if the service provider does not view any data uploaded to the platform. Not all cloud service firms will therefore be willing to sign a BAA.

A BAA Will Not Make Mean a Covered Entity is HIPAA Compliant

Simply completing a BAA for a cloud computing platform will not ensure a covered entity is compliant with HIPAA Rules. HIPAA Rules can still be violated, even with a BAA set up. This is because no cloud service can be truly HIPAA compliant by itself. HIPAA compliance will depend on how the platform is implemented.

Financial Punishments for Cloud-Related HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights has already settled cases with HIPAA-covered entities that did not obtain business associate agreements before uploading PHI to the cloud, as well as for risk analysis and risk management failures.

St. Elizabeth’s Medical Center in Brighton, Mass came to an agreement to settle its case with OCR in 2015 for $218,400 for potential breaches of the HIPAA Security Rule after PHI was uploaded to a document sharing service, without first assessing the risks of implementing that service.

Phoenix Cardiac Surgery also agreed to settle a case with OCR for not obtaining a business associate agreement from a vendor of an Internet-based calendar and email service prior to using the service along with with PHI. The case was settled for $100,000.

In 2016, OCR settled a case with Oregon Health & Science University for $2.7 million after it was discovered ePHI was being saved in the cloud without first obtaining a HIPAA-compliant business associate agreement.

Implementation of the Cloud by Healthcare Groups

An increasing number of healthcare groups are using cloud and cloud services. In January 2017, HIMSS Analytics studied use of the cloud at 64 healthcare groups of all sizes. The survey showed 65% of healthcare group are now using the cloud or cloud services, including smaller hospitals (<50 beds).

The largest area of growth is the use of software-as-a-service (SaaS), growing from 20% in 2014 to 88% in 2016, followed by disaster recovery, up from 42% to 61%, and use of the cloud for hosting clinical applications, which climbed from 52% to 63%.

A HIMSS/ClearData survey was also carried out on 50 respondents from the largest healthcare groups  in the United States (20% – 101-250 beds, 32% – 252-500 beds, 36% 500+ beds). 84% of those organizations are currently using cloud services, with 74% planning to move existing or new workloads to the cloud.

Out of the large healthcare groups that have already adopted cloud services, 85.7% did so for IT (including backups, desktop and server virtualization, managing archived data), 81% for administrative functions (financial, operational, HR and back office applications and data), 57% for analytics and 40.5% for clinical applications and external data sharing.

For large groups, the most common uses of the cloud are for hosting analytics applications and data (48%), hosting financial applications and data (42%), for operational applications and data (42%) and HR applications and data (40%). 38% were implementing the cloud for disaster recovery and backups.

Microsoft Azure and Amazon AWS are the most popular platforms, and also the most highly rated in the the HIMSS Survey. Amazon has long been the leading cloud service supplier, although Microsoft appears to be catching up according to this comparison of Azure and AWS.

The main benefits to healthcare groups moving to the cloud were: Performance and reliability, ease of management, total cost of ownership, and infrastructure agility.

While there are clear advanatges of the cloud is not without challenges. The biggest hurdles for healthcare groups were seen as cost/fees (47.6%), customer service (33.3%), migration of data and services (26.2%), and availability and uptime (23.8%).

HIPAA Violation Penalties

Most Common HIPAA Violations Causes