Maintain HIPAA compliance while storing ePHI in the cloud

HIPAA compliance in the cloud? 3 things you need to know.

/in /by

We often hear from clients that they have concerns about maintaining their HIPAA compliance mandate should they want to transition their IT to a cloud-based approach. And, of course, many of their concerns are valid. HIPAA compliance matters.

The cost of non-compliance includes steep fines and potential legal penalties. And, what’s more, a huge drop in confidence from the consumers who trust your company with their Protected Health Information (PHI).

Here are 3 things you need to know about maintaining HIPAA compliance in the cloud.

Related: 3 steps to HIPAA security rule compliance

Business associates have mandates too

There are a variety of cloud solutions: public, private, and hybrid. And each will have their own unique set of characteristics. But no matter what solution a HIPAA-regulated company decides to leverage, one thing doesn’t change.

Any potential partner who will store PHI is considered a business associate by HIPAA. This means you’re required to execute an agreement with that associate that outlines permitted uses and disclosures.

Likewise, should that business associate sub-contract out to another entity such as a third-party data center, they must also execute an agreement with that entity that outlines the same permitted uses and disclosures. Both entities are then liable for maintaining HIPAA compliance.

The good news is, when a company’s data is stored in a third-party data center, that center will likely have military-grade security that massively restricts physical access. What this means in terms of remote access to said servers depends on the specific type of cloud solutions the healthcare provider engages.

It’s likely that the right cloud services provider already has systems and policies in place that meet HIPAA compliance.

Related: HIPAA omnibus rule

You still need to restrict access

Moving your clients’ PHI into the cloud doesn’t relieve you of your liability to protect that data. That includes the electronic protected health information (ePHI) the cloud service provider handles.

You still need to instate proper levels of password complexity to control access to ePHI on the cloud servers. Also, you need required standards on how often employees update their passwords. This should include policies on logging out of unattended devices. Basically, any policies you kept in place at the office-level need to remain in place using the cloud. This is key to maintain your HIPAA compliance in the cloud.

Related: Medical ransomware attacks on the rise

Periodic audits should be standard to your approach

This one is not only mandatory to maintain your HIPAA compliance in the cloud, it should also be obvious to your business associate. As part of the business associate agreement you create, you need to be sure that your cloud service provider and their subcontractors perform periodic audits of their systems and approach to ensure compliance.

Such audits have the power to save both you and your business associates from expensive violations.

Conclusion

HIPAA compliance in the cloud may sound complex. But with the right partner and the right approach, you can enjoy the conveniences of cloud computing and maintain HIPAA compliance at the same time. If the subject sounds like a lot to take on, consider seeking out professional advice and help.

You might also like
HIPAA compliant email How to send a HIPAA compliant email
Managed Services vs. Break-Fix The Difference Between Managed Services and Break/Fix
5 signs you're ready for an IT update
Business Technology in the workplace Why Business Technology Cannot Be a One-Size-Fits All Approach
k-12 network security for schools How to Get an A+ in Network Security for Your School
RWA staff member and server hardware 4 IT Consulting Projects That Will Make Your Business Better
Person using mobile phones represents latest SMB technology. Your SMB's 5-part checklist to the latest technology
prescription for perfect managed service provider The Prescription for a Perfect Managed Service Provider