The HIPAA-compliant Cloud
In late March, I wrote a blog post about some of the things you need to know or do to help ensure your usage of cloud storage for protected health information (PHI) complies with HIPAA/HITECH. Given the number of questions I received since ─ and the growing list of breaches ─ it’s a topic worth covering again.
Here are the basics: HIPAA consists of a privacy rule and a security rule. The HIPAA Privacy Rule establishes the safeguards required to protect the privacy of protected health information (PHI), while the HIPAA Security Rule sets standards for the security of electronic protected health information (ePHI).
The U.S. Department of Health and Human Services (HHS) enforces these rules and the detailed administrative, physical and technical safeguards that business associates must comply with ─ companies like Peak 10, which provide outsourced services to organizations that are considered to be “covered entities” under the definitions established by HHS. These outsourced services include cloud storage.
While your organization, as the covered entity, is ultimately responsible for meeting the HIPAA requirements, any business associate you work with to handle or store your information is subject to the same requirements.
There are more than 40 privacy and security safeguards required under HIPAA. If you’re using cloud storage from a third-party provider – a business associate – you need to know how the provider meets those safeguards. Below are examples of how Peak 10 fulfills some of them.
Administrative safeguards are actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI (“ePHI”) and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of ePHI.
Here are two examples of these safeguards and what Peak 10 does to meet the requirements.
- Risk Management – HIPAA requires covered entities and their business associates to implement security measures [sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to] ensure the confidentiality, integrity and availability of ePHI.
Peak 10 does this by:
- Performing network penetration testing regularly.
- Having implemented a proprietary intrusion detection solution.
- Monitoring in real-time for suspicious activity on its networks.
- Maintaining a secure firewall.
- Adhering to a formal incident response process to quickly recognize, analyze and remediate information security threats.
- Running a vulnerability management program.
- Log-in Monitoring HIPAA requires covered entities and their business associates to implement procedures for monitoring log-in attempts and reporting discrepancies.
Peak 10 does this by:
- Allowing administrators to query user logins and activity.
- Automatically locking user accounts for ten minutes after an incorrect password is entered five times.
- Note: Security email correspondence is sent to the customer’s email address of record indicating that the user has been temporarily locked out of their account for failure to enter the correct password.
Physical safeguards are measures, policies and procedures to protect a covered entity’s or business associate’s electronic information systems, related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
Here are two examples and what Peak 10 does to meet them:
- Access Control and Validation ProceduresHIPAA compels covered entities and their business associates to implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Peak 10 meets this standard by:
- Restricting access to Peak 10’s facilities to authorized Peak 10 employees, approved visitors and other approved third parties.
- Having implemented several state-of-the-art security controls such as biometric identification as a requirement for access.
- Restricting access to Peak 10’s software programs for testing and revision purposes to authorized Peak 10 personnel only.
- Maintaining a visitor access policy stating that data center managers must approve, in advance, and accompany any visitors for the specific internal areas they wish to visit.
- Disposal – HIPAA requires covered entities and their business associates to implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
Peak 10 meets this standard by:
- Enacting a data destruction process upon a customer’s instruction or subscription termination.
- Peak 10’s data destruction process requires all hardware subject to destruction to be authorized for destruction and then logically wiped by authorized individuals. The erasure consists of a full write of the drive with all zeroes (0x00) followed by a full read of the drive to ensure that the drive is blank. These erase results are logged by the drive’s serial number for future tracking or recordkeeping.
HIPAA also mandates technical safeguards for the use of technology and the policies and procedures for its use. This helps ensure that stored ePHI is adequately protected and access is controlled. Here are examples of how Peak 10 meets these technical safeguard:
- Encryption and Decryption – HIPAA requires covered entities to implement a mechanism to encrypt and decrypt ePHI.
- Automatic Logoff – HIPAA requires covered entities and their business associates to implement electronic procedures that terminate an electronic session after a pre-determined time of inactivity.
This is what Peak 10 does to meet these requirements:
- Automatically log out customers after 30 minutes of inactivity.
- Prohibit access for ten minutes after entering an incorrect password five times.
Note: Security email correspondence is sent to the customer’s email address of record indicating that the user has been temporarily locked out of their account for failure to enter the correct password.
Then There’s the BAA
Under the recent Omnibus Rule changes, covered entities are required to execute business associate agreements (BAAs) with certain entities that may not have been considered business associates in the past. This includes data storage companies, and entities that provide data transmission services and require access to the data on a routine basis. Many of these providers may be hesitant to sign a BAA. Peak 10 isn’t.
Peak 10 will enter into a BAA with covered entitiesthat use the company’s cloud storage services providing contractual assurances that Peak 10 will appropriately safeguard the data.
What about Peak 10’s subcontractors and partners?
No worries. Peak 10 requires all of its subcontractors or partners to enter into contracts with us that assures that each has implemented all of the required administrative, physical and technical safeguards required under the HIPAA Privacy and Security Rules. Documentation of third-party audits attesting to their compliance is also required. Doing so enables Peak 10 to leverage the resources of these partners to enhance its ability to facilitate compliance for customers classified under HIPAA as covered entities.
Your To-Verify List
Each organization in the healthcare world that is considered a covered entity is unique and will have its own specific IT infrastructure assets, resources, processes, data and more ─ yours included. The best way to determine if a potential cloud storage provider can meet your security and compliance needs is to first compile a list of all your requirements.
That includes the HIPAA technical safeguards, administrative safeguards and physical safeguards, as well as any unique security or compliance needs you may have. While some of these will fall solely under your responsibility, your cloud storage provider may be able to help satisfy others. This is particularly true if the provider has been audited for HIPAA compliance. Just keep in mind that even if the provider can meet the requirements, you organization is ultimately responsible. (That’s why it is also a good idea to consult legal advice.)
Then sit down with potential storage providers and have them explain how they can meet each of your requirements as appropriate. Don’t hesitate to ask for proof or documentation. The cost of non-compliance is high, so don’t take chances. In the event of a data breach, you’re not just looking at financial penalties. You’ve got your organization’s reputation on the line ─ and potentially the welfare of patients and customers.