- Implementing cloud solutions as part of health IT infrastructure raises questions about HIPAA compliance when making use of cloud computing.
Healthcare cloud based technology functions differently than legacy storage or information sharing solutions because of how electronic health data is accessed and stored with potential implications for adhering to HIPAA’s security and privacy provisions.
Cloud is an umbrella term covering the sharing of computing resources and provision of data to connected devices on demand. Cloud technology extends to all facets of IT infrastructure, from front-end user applications to data storage. Organizations can choose to migrate as many or as few aspects of their health IT infrastructure to the cloud as they see fit.
Cloud computing offers healthcare organizations a dynamic infrastructure that absorbs additional cloud solutions to build a scalable and future-proof network of solutions. Remote file sharing, Wi-Fi enabled devices, and custom applications are just some of the layers cloud computing enables.
The Center for Democracy and Technology (CDT) outlines several ways cloud computing is beneficial to the healthcare industry:
Health care providers, particularly those with limited IT staff and budget, may find it difficult to make decisions about upgrades to software and hardware, cloud service providers (CSPs) will have routine processes in place for making and implementing those decisions. Cloud computing is very flexible and can scale to a health care provider’s needs; large, unexpected changes in the needs of an organization are easy to accommodate in a cloud computing model.
Cloud computing is still in its earliest phases of implementation in the healthcare industry. A survey conducted last year by Bitglass found that healthcare cloud adoption grew from 8 percent to 37 percent but it lagged behind other industries due to HIPAA regulations.
According to a report published by BioMed Central, “cloud computing is favored more [in healthcare] for singular, individual features such as elasticity, pay-per-use and broad network access, rather than as cloud paradigm on its own.”
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule establishes “national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain healthcare transactions electronically.”
The HIPAA Omnibus Rule is possibly the biggest hurdle organizations face when beginning the cloud implementation process.
The Omnibus rule states that:
a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.
CDT notes that healthcare organizations are “required to execute agreements with their business associates that set forth the permitted uses and disclosures of PHI by the business associate. Business associates that hire subcontractors to perform some of the services or functions requested by the covered entity must also execute business associate agreements with those subcontractors.”
According to HealthITSecurity.com, the HIPAA Omnibus guidelines “make entities that are defined as business associates (BAs) directly accountable if they run afoul of the regulations. In the area of data breaches [before the Omnibus Rule], BAs only needed to notify covered entities in breach cases that could result in significant risk of financial/reputational harm. But under the Omnibus Rule, any disclosure of patient data is subject to notification (unless the BA can demonstrate a low probability that the PHI has been compromised).”
“While BAs are directly liable under HIPAA,” HealthITSecurity.com continued, “covered entities are also directly held responsible for any actions of their BAs. This fact alone makes a great case for taking time and following a rigorous process when selecting your cloud-based service providers.”
Organizations often implement more than one cloud solution from several cloud vendors for storage or application development. Each cloud service provider and subcontractor is obligated to submit to a business associate agreement. Any cloud vendor that handles PHI is required to protect it to HIPAA standards which is an intimidating notion especially if an organization is working with multiple cloud vendors.
One of the biggest drawbacks to cloud adoption in the healthcare industry, state the authors of the BioMed Central report, is caused by involving external cloud partners. However, HealthITSecurity.com reported that cloud service providers that equip proper security for PHI have “little liability risk as a business associate,” meaning that a majority of cloud service providers maintain security on par with HIPAA standards.
Many large cloud service providers such as VMware, outline how their solutions abide by HIPAA standards to provide healthcare organizations with a better understanding of how the vendor accommodates healthcare organizations.
The company’s guide to HIPAA and HITECH summarizes VMware’s goal as, “helping organizations with the arduous task of meeting and maintaining HIPAA and the HITECH act regulatory compliance, VMware and its partners provide suites of virtualization solutions which address the confidentiality, integrity, and availability requirements of HIPAA/HITECH.”
VMware’s report breaks down their cloud and virtualization offerings, highlighting specific features which are compatible with HIPAA rules and regulations.
Remaining HIPAA compliant is one of the top priorities healthcare organizations need to consider when looking for a cloud solution. Vendors such as VMware and Amazon Web Service provide documentation for healthcare organizations outlining how their cloud solutions are HIPAA compliant.