HIPAA Compliance and the Cloud


Introduction

To ensure privacy and safeguard an individuals’ medical data the Health Insurance Portability and Accountability Act (HIPAA) was passed in the year 1996. HIPAA applies to any covered entity that :

  • collects;
  • creates;
  • or transmits

protected health information electronically and their business associates who encounter such health information in any way throughout the work that has been contracted.

HIPAA mandates such entities to comply with a set of standards that outline the lawful use and disclosure of protected health information.

Covered Entities and Business Associate

A “covered entity” can be one of the following:

  • Healthcare Provider
  • Doctors
  • Clinics
  • Psychologists
  • Nursing Homes
  • Pharmacies
  • Health Plan
  • Health Insurance Companies
  • HMOs
  • Company Health Plans
  • Government programs that pay for healthcare
  • Healthcare Clearing House
  • Those that process non-standard health information they receive to a standard electronic format or data content, or vice versa.

For the purposes of HIPAA, a “business associate” is anybody who:

  • creates,
  • receives,
  • maintains,
  • or transmits

protected health information on behalf of a covered entity including a subcontractor, health information organizations, persons who offer a personal health record to one or more individuals on behalf of the covered entity.

The covered entity should enter into a contract with the business associate requiring the business associate to detail all the uses and disclosures of the protected health information and implement best practices to safeguard such information.

Importance of HIPAA Compliance

HIPAA compliance ensures the protection of sensitive personal health information and safeguarding privacy of the individual. HIPAA lays down the Privacy Rule, Security Rule and Breach Notification Rule.

Importance of HIPAA Compliance

HIPAA compliance ensures the protection of sensitive personal health information and safeguarding privacy of the individual. HIPAA lays down the Privacy Rule, Security Rule and Breach Notification Rule.

Privacy Rule

Gives individuals the right to protect their health information including the right to examine and get a copy of their health record in such manner as requested, and to ask for corrections. The health information includes those pertaining to:

  • Individual’s health
  • Provision of health care
  • Payment for health care

Security Rule

Specifies safeguards that covered entities and their business associates should implement to protect electronic protected health information and its confidentiality, integrity, and availability.

The following should be considered when developing and implementing safeguards:

  • Size, complexity, and capabilities
  • Technical, hardware and software infrastructure
  • Cost
  • Impact of risk

The following safeguards must be implemented:

  • Access Controls
  • Audit Controls
  • Integrity
  • Authentication
  • Transmission Security
  • Security Management Process
  • Information Access Management
  • Security Incident Procedures
  • Constant evaluation

Breach Notification Rule

An unauthorized use or disclosure that affects security and privacy of the protected health information is what constitutes a “breach”. In the event of a breach:

  • the covered entity is under an obligation to notify the individual concerned, the HHS, and the media (in some cases).
  • the notification should be within 60 days of breach discovery
  • if the breach has affected lesser than 500 individuals, then HHS should be notified annually.
  • Business associates should notify the covered entities of any breach.

Violations

HHS Office for Civil Rights (“OCR”) enforces the HIPAA rules and violations may result in civil and in some cases criminal penalties. The OCR:

  • Investigates compliant
  • Directs corrective action
  • Directs for a resolution agreement
  • Impose penalties

Fines under HIPAA can vary from USD 100 to USD 50,000 per incident up to USD 1.5 Mn.

HIPAA and the Cloud

Healthcare organizations and their business associates are migrating to cloud at a rapid pace on account of the :

  • scalability,
  • flexibility,
  • cost-efficiency that cloud has to offer.

However, they are worried about “how to make the most of the cloud while being HIPAA compliant and secure? ”.

While the HHS’s guidance on HIPAA and cloud computing states that :

  • the cloud service providers (CSP) should sign a business associate agreement and;
  • that CSP’s are directly liable for compliance with applicable requirements of HIPAA rules

the enterprises often overlook the security responsibility in the shared responsibility model that cloud service providers operate.

A CSP can only put in place safeguards to enable cloud usage in a manner that is HIPAA compliant; but the covered entity is responsible for ensuring HIPAA compliance and ensuring there is no misuse or misconfiguration.

Cloud misconfiguration is the most preventable security issue but it is also the most common security issue faced by enterprises. Sensitive personal health information is being leaked or exposed to hackers as a result of misconfigured secure cloud storage services, and many enterprises continue to be unaware of this.

No data should be shared through the cloud unless protected by an end to end encryption. The covered entity should ensure that the CSP uses the highest level of encryption. However, encryption alone does not give the necessary protection and satisfy all security rule requirements. The covered entity should be able to define all the security rules in the cloud and implement the best security practices to ensure their protection in the cloud.

Interested to learn more?

Check us @ www.c3m.io

For a demo and free trial

reach us at [email protected]

Resources