A guide to HIPAA and cloud computing

Cloud computing services offer cost-effective data storage and collaboration to healthcare organizations of various sizes. This helps these organizations maintain consistent access to patient data and minimize risks associated with onsite data storage.

Understanding cloud computing services

Cloud computing service refers to the delivery of computing resources over the internet on demand. These services provide access to a wide range of infrastructure, platforms, software, and storage. These cloud computing services are typically offered by cloud service providers (CSPs) such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. 

Related: The HIPAA compliant cloud services checklist

Examples of cloud computing services

1. Infrastructure as a service (IaaS): IaaS provides virtualized computing resources, including virtual machines, storage, and networking. 
2. Platform as a service (PaaS): PaaS provides a platform for developing, deploying, and managing applications without the complexity of infrastructure management. 
3. Software as a service (SaaS): SaaS delivers fully functional applications over the internet, eliminating the need for users to install and maintain software locally. 
4. Storage as a service: Storage as a Service provides scalable and flexible storage resources accessible over the internet. 
5. Database as a service (DBaaS): DBaaS provides managed database services in the cloud. Users can leverage various database engines, such as relational (e.g., MySQL, PostgreSQL) or NoSQL (e.g., MongoDB, Cassandra). 
6. Containers as a Service (CaaS): CaaS offers a platform for deploying and managing containerized applications. 
7. Function as a service (FaaS): FaaS, also known as serverless computing, enables users to run individual functions or code snippets in response to events or triggers. 

HIPAA and cloud service providers

Covered entities are required to protect any protected health information (PHI) collected and stored within their organization. Any cloud service provider (CSP) dealing with the storage of PHI on behalf of a covered entity would be considered a business associate under HIPAA and therefore be held responsible for this data safety in their care. 

Even if the CSP only stores encrypted ePHI and does not have the decryption key, it is still considered a HIPAA business associate. Encryption alone is insufficient to ensure the confidentiality, integrity, and availability of ePHI as required by the HIPAA Security Rule. The CSP must implement reasonable and appropriate controls to limit access to information systems that maintain customer ePHI.

What to look for in a HIPAA compliant cloud computing services 

Verify HIPAA Compliance

Look for providers who have undergone independent audits and assessments to validate their compliance with HIPAA regulations. Request documentation or certifications to verify their compliance status.

Evaluate Data Security Measures

Evaluate the security measures implemented by the cloud computing service provider. Additionally, inquire about their incident response and breach notification procedures.

Review Business Associate Agreement (BAA)

Verify that the cloud computing service provider is willing to sign a BAA, as required by HIPAA regulations. The BAA establishes the responsibilities of the provider in safeguarding PHI and complying with HIPAA requirements.

Evaluate Scalability and Performance Capabilities

Evaluate the scalability and performance capabilities of the cloud computing service. Ensure the infrastructure can handle increasing data volumes and user demands without compromising security or performance. 

Clarify Data Ownership and Portability

Clarify the terms of data ownership and portability. Understand who owns the data stored in the cloud and how it can be retrieved or transferred in the event of contract termination or migration to another provider. 

Assess Service Reliability and Availability

Assess the service level agreements (SLAs) provided by the cloud computing service provider regarding uptime, availability, and performance guarantees. Look for high-availability architectures, redundancy measures, and disaster recovery plans to minimize downtime and ensure continuous access to PHI.

Consider Vendor Reputation and Support

Research the reputation and track record of the cloud computing service provider. Read customer reviews and testimonials, and assess their experience in serving the healthcare industry. Inquire about the level of customer support and the responsiveness of their technical support team.

Related: The 12 steps to HIPAA compliance

Restrictions on international data transfers

The HIPAA Privacy Rule requires covered entities and business associates to safeguard PHI and imposes restrictions on the transfer of PHI to locations outside of the United States. It permits covered entities to disclose PHI to business associates, which may include CSPs, as long as a valid BAA is in place. However, if a CSP, as a business associate, intends to store or process PHI outside of the United States, there are additional considerations and requirements. These include: 

1. Authorization from individuals before their PHI can be transferred internationally for purposes other than treatment.
2. When PHI is transferred internationally, it must receive the same level of protection as it would have in the United States.
3. Covered entities and business associates must be aware of and comply with the privacy laws and regulations of the foreign country where the data will be transferred. 
4. The BAA between the covered entity and the CSP must explicitly address the international transfer of PHI. It should include provisions to ensure compliance with the Privacy Rule and applicable foreign laws.
5. Depending on the country's laws and regulations, there may be risks of access to the transferred data by foreign governments or other entities. 

Related: HIPAA Compliant Email: The Definitive Guide