The scalability of the cloud has encouraged healthcare providers to increasingly moving their data to the cloud. But meeting regulatory compliance requirements under HIPAA in a cloud environment can be challenging. That’s why many hospitals are currently and should team up with managed service providers to ensure data security compliance under the demands of new cloud-driven infrastructures.
HIPAA’s Cloud Security Rules
Many CIOs are a little apprehensive on whether or not cloud-computing can keep electronic personal health information (ePHI) data safe without running the risk of a hefty HIPAA compliance fine.
Current HIPAA rules require a clinician or healthcare information owner to enter a business associate agreement (BAA) with the cloud provider to remain compliant. A service level agreement (SLA) can also address specific HIPAA concerns such as:
- System availability and reliability
- Backup and data recovery
- How ePHI will be returned to the hospital or practice after the service is terminated
- Encryption of data in transit and at rest, access controls, audit trails, and data storage locations
- How the cloud service provider will use, retain, and disclose ePHI
These agreements also cover the Breach Notification Rule, which requires a CSP to report any security incidents to their business associates. Without these documents in place, your business runs the risk of non-compliance in the cloud. In addition, a security breach and loss of data can cost between $100 and $1.5 million per violation, depending on the severity of the breach.
As extensive as these rules are, HIPAA isn’t keeping up with the latest advancements in technology and data collection. A BAA in the cloud might have a clear definition, but the plethora of third-party vendors who now slice and dice patient data within these agreements are not. Even in 2009, the last HIPAA’s security rule update, wearable fitness trackers were not common and telehealth was an infrequent occurrence.
So despite the holes in HIPAA requirements for new technologies, healthcare providers are still concerned about their liability if regulators determine they are failing to protect patient data in the cloud. So what is the best insurance policy for hospitals concerned about HIPAA compliance?
Managed CSPs May be the Answer
CSPs can help fill in the gaps left by HIPAA by ensuring a fully compliant and secure platform that covers all the bases — including ones HIPAA hasn’t considered. To remain competitive in the growing cloud space, leading providers go out of their way to ensure the latest security measures and regular audits, as well as clearly defined processes that fit into HIPAA’s framework and beyond.
Just remember: a CSPs claim of HIPAA compliance does not remove your responsibility. Most healthcare organizations do not have the security staff on hand to monitor cloud service provider HIPAA compliance. Managing these complicated end-to-end infrastructures takes the additional support CSPs can offer.
Synoptek Quick Take
The cloud can help hospitals scale their data analytics and capabilities without adding overhead. But is the cloud HIPAA compliant? Companies responsible for ePHI have to be extra careful to avoid costly non-compliance penalties. Outdated rules have created a potential non-compliance situations with new technology. CSPs help fill the gaps by providing additional security and consultation for today’s ever-changing cloud environments.