Healthcare providers who embrace new technologies, such as the cloud, can leverage data and digital tools to deliver better health outcomes. But the rise in cloud services and cloud computing means the need for organizations to ensure all apps are HIPAA compliant.
Related: HIPAA compliant email: The definitive guide
The HIPAA Act considers something as simple as a name as protected health information (PHI). Given that healthcare workers spend a lot of time handling sensitive data, they must defend all PHI from unnecessary use and disclosure.
Here is a checklist to help you assess if your cloud services are HIPAA compliant.
The Health Insurance Portability and Accountability Act (HIPAA) is U.S. legislation created to improve healthcare standards. Title II is most associated with the act and establishes PHI and ePHI (electronic PHI) privacy and security standards. The Privacy Rule sets the guidelines for using and disclosing patients' data. And the Security Rule sets the necessary administrative, technical, and physical safeguards to protect PHI/ePHI.
The HIPAA industry is vast, so we understand why healthcare organizations use cloud services for storage, infrastructure/hosting, and/or software and file sharing. Knowing what you need from your cloud (i.e., infrastructure-as-a-service, software-as-a-service, or platform-as-a-service) will tell you what cloud tool to pursue. The cloud offers users more flexibility and convenience but also increases an organization's attack surface.
That is why it is vital to protect a patient's confidentiality in the cloud. Many cloud tools are available, but not all meet HIPAA requirements of encryption, data backup, and access controls. And not all will provide HIPAA assurance through a signed business associate agreement (BAA).
A business associate is a person or entity that performs certain functions or activities that involve PHI. A cloud company would fall into this category, which means that it must sign a BAA. The Privacy Rule allows healthcare providers to disclose PHI if a business associate guarantees it is protected through a BAA.
Related: When should you ask for a business associates agreement?
We've researched the cloud ecosystem to see which companies will sign a BAA and, therefore, may be HIPAA compliant. Cloud companies that will sign (or appear to sign) include:
And we know that Apple and iCloud won't sign a BAA. The list of cloud companies is extensive, and it is ultimately up to every healthcare organization to ensure HIPAA compliance.
Cloud technology needs strong protections, given its numerous access points. Moreover, not all are appropriately configured out of the box. Use this checklist to ensure your chosen cloud tools keep you HIPAA compliant.
And as always, stay on top of changes to HIPAA and other state/federal regulations.
Read more: Understanding medical record retention requirements by state
Nowadays, healthcare providers embrace new technologies that leverage data and digital tools to deliver strong patient care. The increase in cloud computing demonstrates just how far healthcare organizations have recently come.
One thing that cannot be forgotten while healthcare access to digital technologies grows is the HIPAA Act. Penalties for breaches can be significant, ranging from $100 to $50,000 per violation. For example, the 2015 Anthem, Inc. breach cost $16 million in HIPAA violations and $115 million from a class-action lawsuit.
But the costs don't stop there. A deliberate or accidental breach could lead to ransom payments, downtime, and angry patients. Avoiding a breach means avoiding such costs and continuing to properly treat patients. Transitioning to a cloud service can be a daunting but worthwhile task. You can ensure safe and happy patients by using a HIPAA compliant checklist like the one above.