Hipaa Cloud Computing
Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure.
hipaa cloud computing
It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform provider.
Consequently, a covered entity must obtain a signed business associate agreement (BAA) from the cloud platform provider. The BAA must be obtained from the cloud platform provider before any PHI is uploaded to the platform. A BAA must still be obtained even if the platform is only used to store encrypted ePHI, even if the key to unlock the encryption is not given to the platform provider. The only exception would be when the cloud platform is only used to store, process, maintain or transmit de-identified ePHI.
Cloud computing platform providers and cloud data storage companies that have access to PHI can be fined for failing to comply with HIPAA Rules, even if the service provider does not view any data uploaded to the platform. Not all cloud service providers will therefore be willing to sign a BAA.
Simply obtaining a BAA for a cloud computing platform will not ensure a covered entity is compliant with HIPAA Rules. HIPAA Rules can still be violated, even with a BAA in place. This is because no cloud service can be truly HIPAA compliant by itself. HIPAA compliance will depend on how the platform is used.
In 2016, OCR settled a case with Oregon Health & Science University for $2.7 million after it was discovered ePHI was being stored in the cloud without first obtaining a HIPAA-compliant business associate agreement.
An increasing number of healthcare organisations are taking advantage of the cloud and cloud services. In January 2017, HIMSS Analytics studied use of the cloud at 64 healthcare organizations of all sizes. The survey showed 65% of healthcare organizations are now using the cloud or cloud services, including smaller hospitals (
The biggest area of growth is the use of software-as-a-service (SaaS), jumping from 20% in 2014 to 88% in 2016, followed by disaster recovery, up from 42% to 61%, and use of the cloud for hosting clinical applications, which increased from 52% to 63%.
Out of the large healthcare organizations that have already adopted cloud services, 85.7% did so for IT (including backups, desktop and server virtualization, hosting archived data), 81% for administrative functions (financial, operational, HR and back office applications and data), 57% for analytics and 40.5% for clinical applications and external data sharing.
For large organizations, the most common uses of the cloud are for hosting analytics applications and data (48%), hosting financial applications and data (42%), for operational applications and data (42%) and HR applications and data (40%). 38% were using the cloud for disaster recovery and backups.
When asked to rate the top factors that were considered when choosing a cloud service provider, top of the list was adherence to regulatory requirements such as HIPAA and HITECH, rated in the top three by 54% of organizations, followed by the willingness to meet BAA requirements (38%) and technical security (32%). In terms of security, the biggest cloud vendors are perceived to be the best choice as they can afford to hire the very best staff and can devote huge resources to ensuring their platforms are secure.
Microsoft Azure and Amazon AWS are the most commonly chosen platforms, and also the most highly rated according to the HIMSS Survey. Amazon has long been the leading cloud service provider, although Microsoft appears to be catching up according to this comparison of Azure and AWS.
While there are clear benefits, use of the cloud is not without challenges. The biggest challenges for healthcare organizations were seen as cost/fees (47.6%), customer service (33.3%), migration of data and services (26.2%), and availability and uptime (23.8%).
Under HIPAA, any entity that is involved in the creation, maintenance, receipt, or transmission of PHI is regarded as a business associate. This includes cloud providers, whether they offer a public, private, or hybrid cloud. Covered entities that plan on using the services of a business associate need to ensure that they are entering into a HIPAA-compliant business associate agreement (BAA). This will help them ensure that their cloud infrastructure has the same HIPAA protections that their on-premise systems would.
The BAA is literally a contract between the covered entity and the service provider that is the business associate. The BAA should spell out allowable uses and disclosures of PHI, as well as the safeguards in place to prevent unauthorized access or use of that data. If you use multiple cloud providers (i.e., you have a multi-cloud environment), you might need to sign multiple BAAs.
On-premise data centers and workstations should already be behind a firewall that is compliant. (In fact, this is needed in order to pass a typical HIPAA audit.) HIPAA rules also require logging, auditing, and monitoring access to PHI data, which means that any firewalls or UTMs, whether on-premise or in the cloud, will need such logging enabled.
Any data shared via the cloud should be protected by end-to-end encryption, and any data stored in the cloud should be encrypted at rest. Note, however, that encryption alone is not enough to meet all HIPAA Security Rule requirements.
Unless you are a healthcare IT company or compliance company, the above steps are probably not part of your core competencies. As your cloud footprint expands, the terrain will become more and more complicated. When this happens, it helps to have a third-party provider with in-house HIPAA expertise who can guide you through the process and ensure compliance in the public cloud.
Contact Connectria if you still have questions about HIPAA compliance. We can help many healthcare organizations maintain compliance with HIPAA/HITECH security standards for the storage of PHI. We can do this whether workloads are housed in one of our private clouds or in a public cloud like AWS. We can help with audit trails and reporting, so your in-house IT teams can worry about more strategic aspects of your business.
Under the HIPAA regulations, cloud service providers (CSPs) such as AWS are considered business associates. The Business Associate Addendum (BAA) is an AWS contract that is required under HIPAA rules to ensure that AWS appropriately safeguards protected health information (PHI). The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by AWS, based on the relationship between AWS and our customers, and the activities or services being performed by AWS.
There is no HIPAA certification for a cloud service provider (CSP) such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule.
Cloud computing provides undeniable benefits for storing and accessing electronic health records. Files stored in the cloud are accessible anytime and anywhere from any device, which makes it easy to share critical medical information between healthcare workers. But is cloud storage secure enough to store, access and transfer sensitive personal and medical information?
When a covered entity store PHI in the cloud, the cloud storage service is considered by law to be a business associate of the covered entity. To be HIPAA compliant, therefore, a Business Associate Agreement has to be in place. That agreement needs to state that the cloud service provider shall:
A HIPAA-compliant cloud storage incorporates all the required controls to ensure the confidentiality, integrity and availability of ePHI. The covered entity is responsible for developing policies and procedures covering the use of HIPAA secure cloud storage for this information.
The HIPAA Privacy Rule requires covered entities and business associates to establish the integrity of ePHI and protect it from unauthorized destruction or alteration. Organizations must identify where ePHI is stored, received, maintained and transmitted. That task requires special care in the case of cloud storage services.
Dropbox Business offers a BAA for covered entities and can be configured to offer HIPAA-compliant cloud storage. The service provides a variety of administrative controls, including user access review and user activity reports. It also allows for the review and removal of linked devices and enables two-step authentication for additional security.
While Google provides a secure and compliant infrastructure (as described above) for the storage and processing of PHI, the customer is responsible for ensuring that the environment and applications that they build on top of Google Cloud are properly configured and secured according to HIPAA requirements. This is often referred to as the shared security model in the cloud.
Google Cloud's security practices allow us to have a HIPAA BAA covering Google Cloud's entire infrastructure, not a set aside portion of our cloud. As a result, you are not restricted to a specific region which has scalability, operational and architectural benefits. You can also benefit from multi-regional service redundancy as well as the ability to use Preemptible VMs to reduce costs.
The security and compliance measures that allow us to support HIPAA compliance are deeply ingrained in our infrastructure, security design, and products. As such, we can offer HIPAA regulated customers the same products at the same pricing that is available to all customers, including sustained use discounts. Other public clouds charge more money for their HIPAA cloud, we do not. 041b061a72