If you’re a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), then you already know that HIPAA is serious business. HIPAA violations carry penalties ranging from $100 all the way up to $50,000 per violation. One thing is clear – between those penalties, possible civil liability or criminal prosecution, and the damage that can be done to your organization by mandatory public breach notifications – it’s no longer an option to remain HIPAA-compliant. And with HIPAA posing enough on-premise challenges, is HIPAA cloud security even possible?
The answer is yes. And HIPAA cloud security can be easier than it looks. Keep these three requirements in mind as you work towards a HIPAA-compliant cloud computing strategy.
The HIPAA Omnibus Rule of 2013 slightly eases the compliance burden on covered entities by expanding the definition of Business Associates to include more service providers as Business Associates (BA). And, as Health IT Security points out, although the Omnibus Rule now holds “all parties that come in contact with patient data responsible in the event of a breach,” this doesn’t absolve your organization if one of your BAs fails to comply. As a covered entity, you are still held directly responsible for the HIPAA cloud security of your enterprise’s electronic Protected Health Information (PHI). No matter what a cloud service provider promises or how many times the phrase “HIPAA compliant” appears in their marketing materials, you must still work to ensure the security of your organization’s PHI.
Because HIPAA compliance and HIPAA cloud security remain your responsibility, you must make sure that your organization is working from a clear and thorough understanding of HIPAA requirements. IT Business Edge recommends that “your cloud provider should have a dedicated person on-site whose job it is to be responsible for matching the provider’s offerings with HIPAA’s requirements,” but since HIPAA compliance is ultimately your responsibility, we believe that HIPAA compliance should start closer to home. Your legal team must be able not only to correctly understand HIPAA guidelines as they apply to your cloud computing strategy, and also be able to clearly communicate their interpretation to IT staff and other personnel responsible for HIPAA-protected data.
What your legal team’s interpretation of HIPAA will boil down to is simple: Your organization must maintain full control of your organization’s PHI at all times in order to ensure HIPAA cloud security compliance. Control must start at your premises, with strong, industry-standard encryption and tokenization options to protect PHI, and the ability to selectively apply those options to exactly the data that needs to be protected. Control must then extend beyond your perimeter into the cloud. Encryption keys should remain exclusively in the hands of your organization to prevent unauthorized access to your data. And, finally, control must be maintained with robust user and activity monitoring and reporting features to generate an audit trail and keep you on top of what’s happening with your organization’s PHI at all times. Only full control can ensure HIPAA cloud security.
At the end of the day, HIPAA cloud security is more than just one feature. It doesn’t have to be impossibly complicated, though. If you want to take advantage of the flexibility, scalability, and cost benefits of the cloud without running afoul of the law, here’s what you have to do: Understand that you’re responsible, understand your responsibilities, and take control.
What is your organization doing to achieve HIPAA compliance in the cloud? Let us know in the comments.