Do a quick online search of “cloud storage and HIPAA compliance.” There’s no shortage of companies that will turn up in the results that are touting their “HIPAA-compliant” cloud services. That’s good because it means you have a choice among cloud services providers (CSPs). It also indicates that there’s recognition in the industry for the need for cloud storage services that accommodate applications and data that are subject to HIPAA compliance regulations.
However, just because a company says its cloud storage services are HIPAA-compliant ─ and that the company itself is ─ doesn’t mean it’s true. Nor does working with a “HIPAA compliant” CSP take you off the hook for meeting HIPAA requirements.
Here are five things you need to know or do to help ensure your usage of cloud storage for protected health information (PHI) complies with HIPAA.
- There are no “HIPAA-certified” CSPs.
Beware of CSPs that claim to be “HIPAA certified”. The U.S. Department of Health and Human Services (HHS), the entity responsible for HIPAA, does not require or formally recognize any HIPAA certification programs for CSPs.
What you want is a CSP that has the necessary controls and processes in place to comply with the HIPAA requirements for which it is responsible. One way to ensure this is to go with a CSP that has undergoes annual independent audits of its data center operations and cloud infrastructure, preferably measured against the Office of Civil Rights (OCR) HIPAA Audit Protocol. The protocol provides a breakdown of specific audit criteria used by the OCR, the entity within the HHS responsible for enforcing HIPAA compliance.
The CSP should also be willing to sign a BAA (as noted in #3).
Know the definitions for HIPAA compliance that apply to each.
The HHS web site provides in-depth information about all aspects of HIPAA. In particular, review the section on the omnibus final rule, which expands many of the requirements for HIPAA compliance to business associates.
Business associates are defined as any person or organization that performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. The final rule clarifies that “a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”
All the rules and regulations can be a bit difficult to understand so if you have questions, don’t hesitate to consult an expert that specializes in HIPAA.
Make sure your contract with a CSP includes a business associate agreement (BAA).
Covered entities are required to have a written contract ─a business associate agreement (BAA) ─ with any third-party supplier it works that will be handling PHI on the organization’s behalf. The BAA specifies what the supplier will do for the covered entity and that it will comply with the HIPAA requirements to protect the privacy and security of PHI. If you’ve been working with a CSP and don’t have a BAA in place, make sure to update your contractual arrangement so you do.
Perform a comprehensive assessment on any CSP you are currently using or are considering.
Due diligence is a must. Ask questions to validate that the CSP understands your HIPAA requirements, as well as its responsibilities for compliance. Does it have a dedicated person on staff whose job is to be responsible for matching the CSP’s processes and protocols with the requirements of HIPAA? Does it have a business continuity plan in place? Does it have a proven track record of successfully managing cloud services for other healthcare clients? Does it have a security awareness program in place for its entire organization in place?
One of the best assurances you can get that a CSP has the appropriate technology, processes and policies in place for HIPAA compliance is to review its annual HIPAA audit report on compliance. That audit should be conducted by a reputable third-party auditor and comply with the OCR HIPAA Audit Protocol, which was adopted in 2012 and serves as a set of guidelines stipulating how HIPAA audits should be performed). The audit should cover all 169 requirements of the HIPAA law.
CSPs that undergo other types of audits may also be more likely to meet HIPAA requirements for data security and privacy because of the stringent protocols entailed, such as those required by PCI DSS and SSAE 16.
Encryption is considered a “best practice” for data security. Surprisingly, the HIPAA rules state that the use of encryption is not “mandatory” but “addressable.” While it may not be mandatory, encrypting your data provides “safe harbor.” If your data is somehow breached or lost, provided it was properly encrypted, it will not be considered a breach of unsecured PHI”. To protect yourself and your data, make sure PHI is encrypted in any possible location.
You should deploy strong encryption for all PHI-related data, and use strong encryption algorithms like SHA-2 and AES-256. Verify the encryption keys are protected as well. As a best practice, the key management system should split the encryption key between at least two entities, and if possible deploy homomorphic key encryption to secure your encryption keys while in use in the cloud.
As a covered entity, you should also implement technical security measures to guard against unauthorized access to PHI that is being transmitted over an electronic network. Data in Transit Encryption is again a recommended tool to use. Always enable SSL (HTTPS) and TLS; and if possible, deploy an IPSEC tunnel between your application servers and clients.
There are many other considerations for assessing CSPs to store PHI, but these five will give you a start. The important thing to keep in mind is that as more healthcare organizations move data to the cloud to reap the many benefits offered, an increasing number of CSPs are hoping to capitalize on the trend. Make sure the ones you consider are able to deliver what you need ─ including HIPAA compliance.