The deadline draws near – September 23, 2013 marks the date of when both business associates (now including cloud service providers) and covered entities must meet the HIPAA Omnibus rule, released in January to update the 15-year-old law.
A refresh is needed particularly to meet advancing technology and the push to electronic health record systems (EHRs) to streamline patient care and increase the healthcare industry’s efficiency in hopes to reduce healthcare costs.
The cloud is a big player in this game, allowing for high-capacity storage and processing of healthcare applications and data being produced en masse. With the cloud infrastructure as a service (IaaS), healthcare software as a service (SaaS) companies can take advantage of cloud scalability while protecting sensitive patient data – if designed with high availability and security at top of mind.
The Dept. of Health and Human Services recognizes the healthcare industry will use the cloud – but by placing cloud service providers under the scope of compliance, they are making it clear that the cloud needs to meet the same security standards to reduce the risk of a data breach.
Choosing a HIPAA compliant cloud provider isn’t simple in these times, and as a healthcare organization or SaaS company, you need to know the basics to ensure you’re covered by September 23:
- Encryption. Do they offer encryption of data at rest and in transit with their cloud solution? Or do you have to spend more time and resources to add another encryption service on top of their cloud to make it work? Encrypting data exempts you from the HIPAA Breach Notification Rule and keeps data confidential even if accessed.
- HIPAA Report on Compliance (HROC). The final HIPAA rule says cloud providers are considered business associates. Wouldn’t you rather your cloud provider has already undergone a third-party audit of their services to ensure your data safety and compliance (and to save you the trouble of paying for another audit of your business associate)? Don’t just take their word for it – review a copy of their HIPAA audit report and check they’re audited against the OCR HIPAA Audit Protocol.
- Business Associate Agreement (BAA). Check on their policies around data breach notification, data termination, data access and what services they provide that help you meet compliance.
- Private clouds. A HIPAA compliant private cloud environment can give you dedicated compute, memory and disk performance, meaning your resources are always reserved for you when you need them. Some public cloud setups allocate resources to other tenants on a first-come, first-served basis, meaning you may be out of luck.
- Disaster recovery and offsite backup. The HIPAA Contingency Plan standard requires covered entities to establish and implement a backup and full disaster recovery plan to recover systems that contain electronic protected health information (ePHI) – having one for the cloud ensures your data is always available regardless of a natural disaster.
This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.
Read up more on the HIPAA omnibus rule in:
Final HIPAA Omnibus Rule: How it Changes Cloud Computing for Healthcare
The long-awaited final modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules were introduced recently. The 563-word document outlines the changes that were initially slated for implementation last summer, also known as the final omnibus rule. …Continue reading →
Encryption for the HIPAA Compliant Cloud
Many cloud computing infrastructure as a service (IaaS) providers may provide log monitoring, antivirus, web application firewalls, SSLs, dedicated SANs and more for healthcare organizations, but often the missing ingredient lies in one key technical aspect: encryption. Encryption for healthcare … Continue reading →
HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules
Does your HIPAA hosting provider have a legal BAA (business associate agreement)? I just got off the phone with our attorneys who are updating our business associate agreement to reflect the changes required in the HHS final HIPAA Privacy and … Continue reading →