HIPAA compliance in the cloud? 3 things you need to know.
We often hear from clients that they have concerns about maintaining their HIPAA compliance mandate should they want to transition their IT to a cloud-based approach. And, of course, many of their concerns are valid. HIPAA compliance matters.
The cost of non-compliance includes steep fines and potential legal penalties. And, what’s more, a huge drop in confidence from the consumers who trust your company with their Protected Health Information (PHI).
Here are 3 things you need to know about maintaining HIPAA compliance in the cloud.
Related: 3 steps to HIPAA security rule compliance
Business associates have mandates too
There are a variety of cloud solutions: public, private, and hybrid. And each will have their own unique set of characteristics. But no matter what solution a HIPAA-regulated company decides to leverage, one thing doesn’t change.
Any potential partner who will store PHI is considered a business associate by HIPAA. This means you’re required to execute an agreement with that associate that outlines permitted uses and disclosures.
Likewise, should that business associate sub-contract out to another entity such as a third-party data center, they must also execute an agreement with that entity that outlines the same permitted uses and disclosures. Both entities are then liable for maintaining HIPAA compliance.
The good news is, when a company’s data is stored in a third-party data center, that center will likely have military-grade security that massively restricts physical access. What this means in terms of remote access to said servers depends on the specific type of cloud solutions the healthcare provider engages.
It’s likely that the right cloud services provider already has systems and policies in place that meet HIPAA compliance.
Related: HIPAA omnibus rule
You still need to restrict access
Moving your clients’ PHI into the cloud doesn’t relieve you of your liability to protect that data. That includes the electronic protected health information (ePHI) the cloud service provider handles.
You still need to instate proper levels of password complexity to control access to ePHI on the cloud servers. Also, you need required standards on how often employees update their passwords. This should include policies on logging out of unattended devices. Basically, any policies you kept in place at the office-level need to remain in place using the cloud. This is key to maintain your HIPAA compliance in the cloud.
Related: Medical ransomware attacks on the rise
Periodic audits should be standard to your approach
This one is not only mandatory to maintain your HIPAA compliance in the cloud, it should also be obvious to your business associate. As part of the business associate agreement you create, you need to be sure that your cloud service provider and their subcontractors perform periodic audits of their systems and approach to ensure compliance.
Such audits have the power to save both you and your business associates from expensive violations.
Conclusion
HIPAA compliance in the cloud may sound complex. But with the right partner and the right approach, you can enjoy the conveniences of cloud computing and maintain HIPAA compliance at the same time. If the subject sounds like a lot to take on, consider seeking out professional advice and help.