Many cloud computing infrastructure as a service (IaaS) providers may provide log monitoring, antivirus, web application firewalls, SSLs, dedicated SANs and more for healthcare organizations, but often the missing ingredient lies in one key technical aspect: encryption.
Encryption for healthcare organizations that need to meet HIPAA compliance is important for a few reasons:
- It’s considered best practice, and called out by the HIPAA Security Rule: A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv)).
- Encrypted (electronic protected health information) ePHI is not subject to the breach notification obligations under the HITECH Act, according to the AmericanBar.org.
- Encrypting health data at rest and in transit means you must encrypt data stored or archived as backups, not just data initially collected or processed.
So with these considerations in mind about the importance of encryption for HIPAA compliance, what should you look for in a HIPAA compliant cloud solution and provider?
- Complete offsite backup and disaster recovery options
- Encryption of data at rest
- A private cloud solution with dedicated servers
- An independent audit report against the OCR HIPAA Audit Protocol
- Business associate agreement (BAA)
- Documented policies and procedures
- Business associate-trained staff
When it comes to a service contract with your HIPAA cloud provider, make sure you address who holds encryption keys and the conditions under which they’re allowed to use it. If never, make sure to clearly state as such in the contract – data governance is important for establishing health data security.
A HIPAA compliant cloud can offer the security and scalability you need in order to grow with your organization, but it’s important to ensure encryption is part of the entire package.
For a complete guide to HIPAA technical, administrative and physical security, read our HIPAA Compliant Hosting white paper. This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.
HIPAA Encryption: First Steps to Identifying and Securing Health Data
According to DetroitNews.com, personal information of 49,000 individuals – including that of names, SSNs, DOB, cancer screening test results and dates of completion – were accessed by hackers recently. The data resided in a password-protected area of the Michigan Cancer … Continue reading →
Encryption at the Software Level: ‘It’s Not Always Cut-and-Dry’
Encryption is a hot topic at Online Tech during the month of June, and we hope we’ve offered some valuable insight into the complex topic through our ongoing series of free educational webinars. The latest was presented by guest co-host … Continue reading →
Encrypting Data to Meet HIPAA Compliance
To address the question of whether or not to use data encryption when it comes to meeting HIPAA compliance and keeping patient health information (PHI) protected, let’s revisit the Health Insurance Portability and Accountability Act of 1996 (HIPAA): … Continue reading →