Every day more businesses are shifting some or all of their operations to the cloud, but what if your business requires HIPAA (Health Insurance Portability and Accountability Act ) compliance? Is using a cloud service provider (CSP) off the table for you because you’re now transmitting data outside your walls?
The U.S. Department of Health & Human Services responded to the growing questions related to compliance and cloud computing last year with this guide. They seem to recognize that it is your duty as a health care provider (or medical records related practice) to protect the privacy and security of electronically protected health information (ePHI), but it’s also your obligation to maintain an up-to-date service experience for your clients or you won’t have any clients left.
Here is a summary from AMA Wire:
- Mobile Device Use. Doctors and health care professionals are allowed too access ePHI in the cloud via mobile devices as long as physical, administrative and technical safeguards are in place to protect the confidentiality, integrity and availability of the ePHI on the device and the cloud. Read these tips for securing ePHI on those devices.
- Cloud to Store ePHI. A HIPAA-covered entity or business associate can use a cloud service to store or process ePHI. The covered entity or business associate must first enter into a HIPAA-compliant BAA (business associate agreement), establishing how ePHI can be disclosed and used, with the CSP that will be creating, receiving, maintaining or transmitting ePHI on its behalf. To address more specific business expectations with your CSP, you can enter into a Service Level Agreement (SLA). SLAs can include provisions that address HIPAA concerns such as system availability and reliability, back-up and data recovery, how data will be returned to the customer after service use termination, security responsibility and use, retention and disclosure limitations.
- BAA is Required. Using a CSP to maintain ePHI without a BAA is a violation of HIPAA rules. Entering into a BAA with your CSP is the key first step. However, if a CSP meets the definition of a business associate—in other words, the CSP creates, receives, maintains or transmits ePHI on behalf of a covered entity or another business associate—remember that it is a business associate and must comply with all applicable HIPAA rules, regardless of whether it has executed a BAA. The key takeaway is that if you use or are thinking of using a CSP to create, receive, maintain or transmit ePHI on your behalf, you must have a BAA with the CSP or both you and the CSP will be in violation of HIPAA.
In summation, you still have the option of upgrading your storage and processing to the cloud. But, you need to ensure your providers maintain HIPAA compliance, just like medical providers. If you’re interested in moving to the cloud, Great Lakes Computer can help. We offer multiple levels of cloud installs from single apps, like Office 365, to total cloud solutions, like CompleteCloud from our partner, Avatara. We also offer a HIPAA Risk Advisor tool that is cost-effective and easy to use.