Learn about the guidelines of HIPAA, and gain a better understanding of the role you and your IT provider can play in achieving cloud compliance.
The global healthcare cloud computing market is expected to exceed more than $11 billion by 2022, which is an annual growth rate of more than 20 percent, reported Market Watch. Healthcare cloud computing is helping medical professionals access digital records quicker, and can host larger quantities of clinical statistics, research, and patient records than ever possible before.
For organizations that manage, store, or transmit electronic protected health information (ePHI) or those that are entering the cloud marketplace, staying up-to-date on the latest HIPAA guidelines is essential. Published in October 2016 and updated in June 2017, the U.S. Department of Health and Human Services’ (HHS) Guidance on HIPAA & Cloud Computing clarifies the responsibilities of covered entities (CEs), business associates (BAs), and cloud service providers (CSPs).
The need for compliance and security in the cloud is more important than ever for the healthcare industry. Cyber criminals are specifically targeting healthcare because of the highly secure information they possess.
Having security policies in place and understanding your hosting provider’s compliance standards could prevent you from landing on the Office of Civil Rights (OCR) “wall of shame”. This report lists every company who was breached within the last 24 months that is currently under investigation by the OCR. It includes both covered entities and business associates who did not follow HIPAA’s cloud guidelines, resulting in serious fines. Non-compliance due to ignorance will not save you from the legal and financial headaches.
Leveraging the Power of the Cloud under HIPAA Guidelines
The National Institute of Standards and Technology’s (NIST) definition of cloud computing is a model giving users access to on-demand, convenience-driven, scalable, and flexible access to any shared computer resources, including hardware and software. In healthcare, cloud computing enables organizations to access, use, change, and grow ePHI databases efficiently for streamlined patient care.
With proper security and compliance regulations surrounding HIPAA in place, the possibilities that cloud computing can achieve are endless.
With the explosion and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning how they can take advantage of cloud computing, while complying with regulations protecting the privacy and security of electronic protected health information.
The HIPAA Privacy, Security and Breach Notification Rules established important protections for individually identifiable health information. These rules include limitations on uses and disclosures of such information, safeguards against inappropriate uses and disclosures, and individuals’ rights with respect to their health information.
The HIPAA Security Rule and the update, “Guidance on HIPAA & Cloud Computing,” assign liability and clarify responsibilities for any organization using or offering cloud computing services.
What are Healthcare Cloud Security Concerns?
Because of the numerous benefits that cloud computing offers, many hospitals, clinics, and healthcare organizations are quickly adopting this technology. With the quick move to the cloud, it is important to understand the different security concerns to build up protections against.
One of the top security concerns is keeping Patient Healthcare Information (PHI) secure in the cloud. Just a few years ago, HIPAA compliance was a cloud nightmare. However, the HIPAA Omnibus Rule, which was finalized in January 2013 and went into effect on March 26, 2013, improved patient privacy protections, gave individuals new rights to their health information, and strengthened the government’s ability to enforce the law.
From there, data center and cloud service providers have heard the challenges coming from healthcare providers and have worked hard to ensure that the transition into cloud is both smooth and secure. Here are some top security concerns when implementing a cloud solution. Understanding and creating a roadmap around top security concerns is a great way to ease fears and adopt a powerful strategy.
- Security of company data: Since healthcare data is extremely valuable, it makes it one of the most highly targeted industries for cyber criminals. Medical records, payment information, credentials, and sensitive research is just some of the highly coveted data that healthcare organizations possess. As a result, healthcare data breach costs remain the highest among sectors for a 7th straight year. IBM and Ponemon found that healthcare data breach costs average $380 per record, more than 2.5 times the global average across industries. Data center and cloud service providers are always working to protect healthcare information and present compliant services for the healthcare industry. If you are concerned that your data is at risk, talk to a cloud or data center partner like LightEdge that specializes in migrating healthcare workloads, applications, and data into compliant infrastructure.
- Network reliability: Network latency and performance has been a barrier for healthcare organizations to move to the cloud. Key applications are required to save lives, so network reliability is rightfully a top worry. To overcome this barrier, you need to take data proximity and the importance of the application into account when you create your architecture. Redundancy is built into every LightEdge data center, which are designed to weather nearly any incident with minimal downtime. We use redundant power and cooling, geographically-diverse central offices, and multiple data network carrier access points.
- Reliability of cloud data storage: With the large amount of cloud options available, you can leverage different types of storage for various data points. Cloud and data center providers that are ready for healthcare workloads can help you keep data where you need it, so you can always access it appropriately. If you need the extra boost of performance, make sure you account for that. Poor performance or storage latency will end up costing you much more than just investing in good technology solutions to begin with.
Review HIPAA Guidelines for Healthcare Cloud Computing
Most HIPAA- compliant cloud service providers create service level agreements (SLAs) to address security, information disclosure, disaster recovery policies, and other specific data handling practices. Every covered entity and business associate must understand individual compliance and overlapping compliance concerns. As HIPAA business associates, cloud service providers must:
- Not disclose ePHI unless permitted through the BAA, Privacy Rule, or other applicable laws. No-view and view cloud service providers must not restrict ePHI to covered entities or relevant consumers who hold access rights, but must maintain data privacy standards to prevent illegal access.
- Report a security incident involving a HIPAA covered entity’s or business associate’s ePHI. Cloud service providers must also respond to suspected or known security incidents and mitigate to the best of their ability. There must be documentation of security incidents and their outcomes.
- Recognize separation of responsibility under the Security Rule. While cloud service providers must protect the data in their care, they must also understand the separation of access and responsibility. Customers who access their health records through a provider, for instance, bear a certain level of responsibility for using access best practices. Cloud service providers must maintain compliance with access control, encryption standards, and other activities within the scope of the business associate arrangement.
Covered entities should use business associate guidelines when evaluating and choosing all cloud service providers for cloud software and hardware services. HIPAA Rules do not require cloud service providers that are business associates to provide documentation or allow auditing of their security practices by their customers who are covered entities or business associates. While it is not required by HIPAA, healthcare organizations should require this from their cloud service providers through their service level agreement.
Requiring additional assurances of protections for patient healthcare information, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities is best practice.
Implement Best Practices for HIPAA Cloud Compliance Today
Organizations have struggled to transition from the physicality of data center security to security in the cloud. For your cloud-based data to be secure, the data center in which it resides must also be secure, and even require additional security functions.
Because the U.S Department of Health and Human Services does not offer recommendations or endorse a list of qualified vendors for covered entities, it’s up to you to do your due diligence. To choose an appropriate cloud service provider, use the following best practices:
- Conduct a risk assessment. Managed hosting providers should demonstrate complete compliance. For ePHI-handling services, public cloud solutions rarely offer the security and support a healthcare-covered entity needs. NIST suggests the following steps for healthcare risk management:
- Categorize information systems
- Identify and implement security controls
- Access security controls
- Authorize information systems
- Monitor and adjust security controls
- Ask providers how they mitigate common cloud security mistakes. The Office of Civil Rights states that the three main mistakes in data security are lack of encryption, lack of transmission security (connecting multiple clouds and managing the security of that connection), and the use of unpatched or outdated software.
- Look for the major security and privacy assets in a vendor. Evaluate encryption, access controls, log management, auditing, penetration testing, and disaster recovery planning before entering into a contract with a possible service provider.
- Begin each partnership with the right strategy. Develop a service definition, business associate agreement, and a service level agreement, to prioritize both compliance and successful business outcomes from the start. Before talking to service providers, identify the workflow changes you wish to see and the services that match your business goals. Then, search for providers who can match regulatory and service needs.
Find an Experienced HIPAA Compliant Cloud Storage Provider
When trying to find the best HIPAA compliant cloud hosting provider, it is best that your provider has experience with healthcare customers. Ask how many of the hosting provider’s customers are in healthcare, and how they facilitate HIPAA cloud compliance with those customers. Meeting the demanding HIPAA compliance standards is difficult, so a data center and cloud hosting provider should be well-versed in addressing the dynamic needs of healthcare businesses. For example, data center and cloud storage provider should define responsibilities for each party to maintain compliance.
A hosting provider that regularly works with organizations in the healthcare industry will have the expert knowledge to keep EHR and PHI secure. These providers will already have the background experience dealing with industry rules and regulations and will be able to advise you on compliance actions your organization should be taking.
What Impact Will A Hosting Provider Have?
Finding a data center and cloud hosting provider that meets the following HIPAA standards will allow for you to focus on innovating your healthcare organization to improve patient experience and business efficiency. With the tools listed above, your hosting provider will help to keep ePHI secure and in step with HIPAA standards.
Data center and cloud hosting providers protect your healthcare data in the case of an emergency by acting as a disaster recovery location. Evaluating providers based on their compliance expertise, secure infrastructure, experience in the healthcare industry, private cloud offerings, and ongoing education and training will ensure your data is safe from a physical or cyber breach.
How Does Your Healthcare Organization Stack Up Against HIPAA Guidelines?
Compliance not only protects businesses from excessive regulatory fines, it also protects a company’s reputation and minimizes the risk of harm to your patients. Cloud computing offers technical dexterity and gives healthcare organizations a competitive edge in a rapidly advancing world. However, not all cloud computing service providers offer the same level of support, data security, and compliance expertise. Use our tips to understand how HIPAA governs cloud service providers and business associates to find a proven compliance-friendly provider that meets your usability requirements and compliance needs.
LightEdge has HIPAA secure data center locations at our Des Moines, Kansas City, Omaha, and newly acquired Austin and Raleigh data center facilities. With LightEdge, you can achieve auditable HIPAA compliance. With a proven background working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet HIPAA requirements.
LightEdge offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our clients. Compliance and security are top priorities to guarantee that your data is protected. While there is no certification for HIPAA, LightEdge annually undergoes a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards. LightEdge is compliant with:
If you are interested in getting a risk-free assessment from our healthcare compliance experts, a tour of any of our HIPAA compliant data centers, or to learn more about LightEdge’s compliance offerings, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.