HIPAA Standards: Compliance and the Cloud
With so many businesses and healthcare organizations migrating to the cloud, it’s essential to know if your cloud choice is following HIPAA standards and is HIPAA compliant. Cloud computing comes in various forms, so it can be difficult for healthcare providers to understand and navigate this growing technology terrain.
You need to choose the best cloud option for your business and the right one to keep patient’s protected health information (PHI), such as health records and electronic medical records, safe and your company HIPAA compliant. Technical safeguards are required to comply with the HIPAA security rule to prevent unauthorized access to PHI.
The best approach is to know which options are at your disposal and how the world of cloud computing is or is not compliant with the current HIPAA regulations.
HIPAA Standards - Cloud Service and Deployment Models
As an MSP, we know there are a lot of service models out there that businesses and healthcare providers can take advantage of in varying capacities, and these include:
- Software-as-a-Service (SaaS)
- Infrastructure-as-a-Service (IaaS)
- Platform-as-a-Service (PaaS)
- Mobile Backend-as-a-service (BaaS)
- Identity and access management-as-a-Service (IDaaS)
- Managed Software-as-a-Service (MSaaS)
- Analytics-as-a-Service (AaaS)
And equally as many deployment models with private, public, and hybrid clouds being the most common.
It is your responsibility to ensure that your cloud infrastructure complies with the standards outlined in HIPAA regulations and that your selection offers the same level of data protection as an on-premises option.
Concern about cloud adoption often begins with the migration from an on-premises system. This is because the cloud may be seen as more susceptible to data breaches, cyber threats, or unauthorized access. Therefore, to make cloud adoption a safe and more appealing option for healthcare providers and meet HIPAA standards, cloud service vendors provide cloud solutions with additional protocols, multilayered security, and tighter access controls. These stricter offerings ensure that your infrastructure adheres to HIPAA security and compliance requirements, but these offerings alone aren’t always enough to be HIPAA compliant.
Why Strict Cloud Service Offerings Aren’t Enough
Again, it comes down to the law, and that often means paperwork. Unfortunately, a simple service offering and a verbal guarantee that a cloud solution meets HIPAA standards or is compliant is simply not enough these days.
A cloud provider is a third-party vendor, meaning they are an external contractor for your organization. Third-party vendors may not have to comply with HIPAA in their primary services and offerings on a day-to-day basis. However, their level of HIPAA responsibility changes when their services are employed by a healthcare provider, and both you and they need to be aware of this.
This is where the Business Associates Agreement (BAA) comes into play. It shows you and the vendors you employ are aware of HIPAA laws and what needs to be done to prevent disclosures of individually identifiable health information, or PHI.
A BAA is a signed document that all third-party vendors, or covered entities (CE), must provide when employed by a healthcare provider. It is a legal document stating that the vendor is aware of HIPAA rules and regulations and can guarantee that the products and services they offer are in line with the law.
Products developed and manufactured by another provider – Microsoft or Google for example – will also require a signed BAA from the product manufacturer.
Cloud Vendors, BAAs, and Responsibility
The law is never cut and dried, and, unfortunately, neither is the vendor-BAA-responsibility relationship. A signed BAA from a third-party vendor can still be problematic if you are unaware of the covered responsibilities of the cloud provider as defined by the BAA and HIPAA.
All major cloud vendors (Google, Microsoft, Amazon, Box, Dropbox) are willing to sign a BAA, but their responsibilities differ from vendor to vendor. While Google offers G Suite and Google Cloud Platform as HIPAA-compliant services, their responsibility is only to create a secure environment for those applications built into the Google Cloud Platform.
Amazon offers Amazon S3 Glacier and signs a BAA for all AWS services, but it is the responsibility of the customer to set up HIPAA-compliant cloud storage according to Amazon reference architecture guidelines.
This is again different from Microsoft, which offers compliance in Azure, Azure Government, Office 365, Dynamics 365, PowerApps, PowerBI, and more. Microsoft’s responsibility is to ensure there is a compliance program and internal processes that allow for the use of Microsoft services in line with HIPAA.
Both Box and Dropbox, however, are only responsible for compliance in administrative processes to protect patient data.
The Cloud is the Future - Moving Forward
Cloud computing has great benefits for all businesses because it offers scalable, flexible, and cost-effective options to help companies to grow. But, as with everything new, there can be a learning curve and when that learning curve involves the law, the risk can be high if the proper security measures aren’t followed. So, it is best to make sure that you leave nothing to chance and do what you can to avoid HIPAA violations by employing the right team to get the job done.
And, speaking of avoiding HIPAA violations, we’ve got a free HIPAA compliance checklist.
The expert team at Merit Technologies can help. As a HIPAA-verified MSP, we have the technical expertise and experience to set your business up with the cloud solutions you need.