What to Look for in a HIPAA Cloud Provider

The deadline draws near – September 23, 2013 marks the date of when both business associates (now including cloud service providers) and covered entities must meet the HIPAA Omnibus rule, released in January to update the 15-year-old law.

A refresh is needed particularly to meet advancing technology and the push to electronic health record systems (EHRs) to streamline patient care and increase the healthcare industry’s efficiency in hopes to reduce healthcare costs.

The cloud is a big player in this game, allowing for high-capacity storage and processing of healthcare applications and data being produced en masse. With the cloud infrastructure as a service (IaaS), healthcare software as a service (SaaS) companies can take advantage of cloud scalability while protecting sensitive patient data – if designed with high availability and security at top of mind.

The Dept. of Health and Human Services recognizes the healthcare industry will use the cloud – but by placing cloud service providers under the scope of compliance, they are making it clear that the cloud needs to meet the same security standards to reduce the risk of a data breach.

Choosing a HIPAA compliant cloud provider isn’t simple in these times, and as a healthcare organization or SaaS company, you need to know the basics to ensure you’re covered by September 23:

1. Encryption. Do they offer encryption of data at rest and in transit with their cloud solution? Or do you have to spend more time and resources to add another encryption service on top of their cloud to make it work? Encrypting data exempts you from the HIPAA Breach Notification Rule and keeps data confidential even if accessed.
2. HIPAA Report on Compliance (HROC). The final HIPAA rule says cloud providers are considered business associates. Wouldn’t you rather your cloud provider has already undergone a third-party audit of their services to ensure your data safety and compliance (and to save you the trouble of paying for another audit of your business associate)? Don’t just take their word for it – review a copy of their HIPAA audit report and check they’re audited against the OCR HIPAA Audit Protocol.
3. Business Associate Agreement (BAA). Check on their policies around data breach notification, data termination, data access and what services they provide that help you meet compliance.
4. Private clouds. A HIPAA compliant private cloud environment can give you dedicated compute, memory and disk performance, meaning your resources are always reserved for you when you need them. Some public cloud setups allocate resources to other tenants on a first-come, first-served basis, meaning you may be out of luck.
5. Disaster recovery and offsite backup. The HIPAA Contingency Plan standard requires covered entities to establish and implement a backup and full disaster recovery plan to recover systems that contain electronic protected health information (ePHI) – having one for the cloud ensures your data is always available regardless of a natural disaster.