Cloud computing is a critical component for modern healthcare organizations. When done right, any health-related information collected is protected from the public. That’s why more and more healthcare organizations, such as Philips and Siemens, are embracing the cloud, using providers like AWS and Azure to store critical medical information.
However, can the cloud be trusted to manage, access, and transfer sensitive personal and medical information? We get this question a lot, and in fact, ensuring that medical information remains confidential is an ethical standard that US healthcare companies must uphold. This applies to historical medical records, too. Otherwise, negligent organizations risk prosecution and massive fines.
As such, we’ve provided an overview of what HIPAA is, why healthcare organizations should leverage the cloud, and what to look for in HIPAA-compliant cloud solutions below.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules that outlines the disclosures and allowable uses of patient medical records. Enshrined in it is the information guiding when, how, and who may have access to medical records. It also sets the standard for unauthorized access to patient health information. What you should keep in mind is that health information should be secured through reasonable efforts. Consult with a lawyer to understand the full extent of what that means.
Why Use the Cloud for Healthcare?
The answer is simple: to derisk your business. This is especially helpful for small to medium-sized businesses that lack the capital for on-premise servers. With an effective BAA in place, you can offload the HIPAA responsibilities to cloud providers. Note two things:
- You are responsible for the due dilligence behind your cloud services. Not all of them comple with HIPAA.
- You are still responsible for securing and managing any applications or web pages that interact with the cloud service. A breach in these areas would be on you to resolve.
HIPAA Compliant Cloud Services
When processing personal health information (PHI), businesses must follow industry best practices for healthcare data security and take every reasonable step to protect it. In addition, businesses must consider the following when using HIPAA-compliant cloud services:
- HIPAA-compliant clouds must support single sign-on or two-step authentication and support the transfer of ePHI that is encrypted.
- Non-HIPAA-compliant clouds don’t offer a BAA that covers entities. Without a BAA, you are responsibile for data breaches that happen on their cloud. For example, cloud services, like iCloud fall into this category and should not be used. AWS and Azure do offer BAA for specific services.
- Some cloud services may not provide essential integrated security services for HIPAA compliance, which is why ePHI storage can’t be stored on them.
Cloud providers that support HIPAA compliance include AWS, Box Enterprise and Elite, G Suite, Google Drive, Dropbox Business, Microsoft OneDrive, and E5. Note, not all the services from these cloud providers are HIPAA compliant. As such, care must be taken to review each service for compliance. For example, AWS released a white paper titled “Architecting for HIPAA Security and Compliance on Amazon Web Services” that details which AWS services are HIPAA-compliant. This white paper also details the different Amazon resources needed for building a HIPAA-compliant architecture.
The Bottom Line / TLDR
Using a cloud computing service provider is essential, but special consideration must be made to comply with HIPAA. That means you must 1) understand HIPAA compliance and 2) leverage cloud service that offer a BAA for your website, application, and other business needs.
Need help with navigating your healthcare organization through the cloud? Connect with a cloud partner like Uplancer to help you navigate the challenges of HIPAA compliance for your tech infrastructure today.
