Nearly 20 percent of the entire US economy is comprised of healthcare companies, which means there are a lot of organizations out there who need to concern themselves with HIPAA compliance and regulations. Add to the mix the growing trends of cloud computing and digital transformation, and it’s no wonder so many are concerned with cloud security and compliance. In this blog we’ll highlight challenges for HIPAA-compliant cloud hosting and where responsibility falls.
Quick recap: What is HIPAA and how has it Evolved?
The Healthcare Insurance Portability and Accountability Act (HIPAA) is a federal law originally passed in 1996 that specifies security, privacy and enforcement rules to protect Personal Health Information (PHI). In 2009, an updated law called HITECH was passed that revised HIPAA standards for security and privacy to account for medical records stored digitally rather than on paper. HIPAA and HITECH apply to health plans, healthcare clearinghouses, and to any healthcare provider who transmits PHI electronically (known as Covered Entities). They also apply to organizations that process electronic healthcare transactions, including private sector vendors and third-party administrators (known as Business Associates). In 2013, the HIPAA Final Omnibus Rule was passed that again updated requirements for Covered Entities and their Business Associates (BA’s).
Addressing the HIPAA Security and Privacy Rules
The most pressing sections of HIPAA as it relates to compliance for organizations are the HIPAA Privacy and Security Rules. To keep in line with the HIPAA Privacy Rule, a covered entity must make practical efforts to use, disclose and request only the minimum necessary amount of PHI required for any particular task.
The Security Rule is an extension of the Privacy Rule to include Electronic Personal Health Information (ePHI; remember, when HIPAA was first passed, everyone was still using paper records) and was designed to be flexible enough to cover all aspects of security without requiring specific technologies or procedures to be implemented. Unlike PCI with its more stringent guidelines around technology, with HIPAA, each organization is responsible for determining what their security needs are and how they will accomplish them.
HIPAA compliant cloud hosting: Who’s responsible?
So, you’re an organization who either already has or is ready to adopt the ever-growing trend of cloud computing, but you need to be HIPAA compliant. Is that a problem? No, as long as you do your due diligence and work with the right provider who can help you ensure HIPAA compliance. For starters, the provider you work with should be willing to sign a Business Associate Agreement (you won’t meet the Privacy Rule without it).
Like most compliance regulations supported by a cloud provider, HIPAA is a shared responsibility model. That means that your provider is responsible for ensuring specific layers of the environment meet compliance, and you are responsible for specific layers. Generally speaking, you should consider data, software, user applications, operating systems, databases and the virtual infrastructure as your responsibility. Your provider will take care of the physical infrastructure (although this varies by provider, so be sure to double check). Remember too that to be “HIPPA compliant” all 3rd party elements must also be compliant.
HIPAA compliance is a process, not a checkbox. Having a “set it and forget it” mentality is not enough. HIPAA violators can face severe penalties including fines in the millions of dollars, or even jail time.
Achieving compliance is a continuous and complex task, and one that shouldn’t be done alone. Finding the right provider who is willing to sign a BAA and can assure you through independent audits and reporting of their compliance with HIPAA (or any other regulation) will be incredibly helpful to meeting compliance yourself.
HIPAA is a federal law aimed at protecting PHI, with a number of regulations designed to address patient privacy and data security. It affects anyone who handles PHI, whether directly as a covered entity, or indirectly as a business associate. However, it’s important to remember that relying on a cloud provider with HIPAA-compliant infrastructure doesn’t automatically make you or your applications compliant. You’ll need to ensure your data, networking, ingress/egress transfers and OS, etc. all meet administrative and technical standards.
Looking for a cloud provider with experience in HIPAA compliant hosting? We’ll work with you to ensure every layer of the stack is compliant — not just the infrastructure. Otava has more than 25 years of history and specializes in helping organizations achieve peace of mind with their secure, compliant cloud solutions. Visit www.otava.com to learn more or contact us to get started.
Looking for more information on HIPAA compliant cloud hosting? Check out our free white paper or see additional resources below.