Finding a healthcare cloud service provider (CSP) got a lot harder in the last 12 months.
In March, 2013, the 18-year-old Health Insurance Portability and Accountability Act (HIPAA) was updated. The 137 pages of dense text define what’s optimistically called the “Final” HIPAA Omnibus Rule, superseding a previous rule update.
The consequences of the update are many. One takeaway: if you need cloud services, especially as a VAR or MSP, the rules for you and your CSP got tighter and the penalties higher. You’re going to need to be sharper than ever to find a cloud that complies. And for many, the compliance deadline has already passed.
The Good News
Thankfully, help is available. CSPs are increasingly ready to work with healthcare-related organizations. Ideally, a cloud partner can lift some important aspects of compliance off your shoulders – leaving you to do what your organization is already good at doing. If you follow this guide to assessing potential cloud providers, HIPAA compliance can almost seem easy. (Yes, we said “almost.”)
No two cloud implementations are the same, just as no two healthcare businesses are alike. Yet all are subject to the same list of HIPAA requirements, and all draw from the same menu of storage and cloud services. Attention to detail up front will pay huge dividends in your success.
Look Beyond the Provider’s BAA
Your cloud service provider’s business associate agreement (BAA) is only the starting point. Any credible CSP should be happy to sign a BAA with you. Even Google, notoriously immune to requests for regulation, has stated its willingness to sign a limited BAA for certain cloud services.
To succeed with HIPAA, you need to look far beyond base-level agreements. Look for experience, guidance and a great deal more. A restaurant may pass all heath department regulations, but that doesn’t ensure that the food will be delicious.
The best among HIPAA-savvy CSPs actually provide a pathway for compliance for your enterprise. Providers with specialized HIPAA experience have already absorbed the regulations and have a depth of client experience in the field. Not only will they provide you with cloud services, they’ll take assist you in lightening the IT compliance burden.
Find a Dedicated Compliance Department
Your single strongest guarantee of success in the HIPAA cloud is a partner who’s already obsessive about compliance. HIPAA compliance isn’t something that can be added to a service provider’s offerings ad hoc. It needs to be built in from the ground up.
“HIPAA is a key area we focus on,” says David Kidd, Peak 10’s Director of QA and Compliance. Early on, the CSP grasped the importance of compliant services to IT organizations. A compliance program was established, processes aligned and audits completed. Today, with years of experience maintaining compliance in its own infrastructure, Peak 10 shares its expertise with clients.
Ideally, your healthcare cloud provider is audit-ready in related compliance areas: FDA, SSAE 16, ISO 27001 or whatever your organization requires. “Peak 10 has thousands of customers with regulatory compliance needs from hundreds of agencies,” David Kidd reports. That sort of lengthy compliance leadership provides you with ample existing implementations as reference architectures.
Secure the Data
“Data is the real treasure of healthcare IT,” David Kidd observes. “You can replace machinery and software. Accurate, secure patient data, however, is the irreplaceable lifeblood of the healthcare organization.”
Although protected health information (PHI) may be gathered upstream, the security portion of the HIPAA rules falls on everyone storing, organizing or disseminating the data. That means no ordinary cloud will do.
Your CSP should be able to offer a robust security suite demonstrating expertise in all common facets of security: risk assessment, exposure, transparency, due diligence, vulnerabilities and reporting. Moreover, you’ll want clear guidance in the specialties of HIPAA-specific security.
Since data is irreplaceable, a comprehensive disaster recovery plan is essential – and a requirement of the HIPAA regulations. Downtime, data loss or system malfunctions do occasionally happen even in the best-managed systems. You’ll sleep much better knowing everything’s secured.
Watch the boundaries
Many cloud providers offer HIPAA-compliant services amidst other services that do not comply. For example, Google’s BAA states clearly that only four paid Google Apps are covered. Any use of other apps, including the free versions, crosses the boundary into non-compliant territory.
Watch your step! You might start in a compliant cloud environment – only to discover that additional cloud services or features you need cannot be provided in a HIPAA-compliant fashion. Suddenly, you’re landlocked.
The best approach is to identify a provider where there is no difference between the cloud services offered for regulated customers as for any other. “It’s the same Peak 10 Enterprise Cloud for HIPAA and unregulated customers,” says Peak 10’s David Kidd. “We don’t have to worry about breaching a boundary, and you have access to all service offerings no matter your compliance requirements.”
Do Your Diligence
You have a choice of cloud partners in all shapes and sizes. So if you’re basing your business on the CSP, there’s no substitute for doing it right.
Take your due diligence seriously. Some vendors who looked great on paper have disappeared in the last year. Others don’t have the expertise their websites claim. And regrettably, inexpensive public cloud services probably won’t save you money or time in a specialized field such as HIPAA compliance.
Remember too that setting up an effective healthcare cloud doesn’t happen overnight. Though it’s easy to let budgets or timelines compress the schedule, it’s essential to allocate the time to do the upfront work right. Your partner will bring expertise to the table, but ultimately you’re responsible for successful compliance. Long after the planning process is forgotten, you’ll be living with its results.
Take the time for thorough investigation and planning to ensure long-term success.
HIPAA compliance will probably never be easy. But with the right partner, healthcare cloud services don’t need to cause anxiety.
Though it’s easy to lose sight of it, the objective of HIPAA-compliant healthcare IT is improved patient outcomes. That translates into secure, well-planned systems in your organization that provide peace of mind to you, your clients and their patients.