Within the healthcare community, the cloud has been perceived as a double-edged sword. On one side, the cloud represents a cost-effective solution to the problem of affording the capacity to store and analyze massive amounts of data; on the other, it presents concerns about remaining compliant with HIPAA while making strategic use of cloud services, especially following the publishing of the HIPAA omnibus rule last month. But is this apprehension warranted? And could it potentially being doing more harm than good for covered entities on the fence about migrating to the cloud?
“We sort of lead with BAA conversation because people are not even interested in talking at all without one,” says David Rocamora, Vice President of Development Operations for Control Group, about the increased interest of covered entities to sign business associate agreements when working with cloud-services providers. “The BAA opens a lot of the doors, but when we really start getting down to work, most of the people who end up moving to the cloud decide that the BAA thing isn’t an issue for them anymore because they find ways to resolve it.”
Given that the HIPAA omnibus rule tightens responsibilities for those working with protected health information and increases penalties for covered entities and business associates who fail to remain compliant, misconceptions about the cloud may prevent healthcare organizations and providers from considering what could in reality be a sound decision in terms of both finances and compliance.
According to Rocamora, the cloud should prove a valuable resource for two reasons. “Those kinds of things have changed people’s perceptions of whether or not cloud computing is appropriate for healthcare data,” he argues.
The first is the reduction of potential health data breaches:
When you look at the number of patients affected by a breach, most of the time it was because of physical theft or loss of real infrastructure — someone loses a laptop in a cab or something like that. That’s a huge win for cloud computing because we can rely on someone who has physical security policies like Amazon where they’ll publish all of the things that they can do to their data centers. That’s above and beyond what a lot of clients running their own infrastructure can do.
The second is the ability to monitor their security and privacy infrastructure more easily through automation:
When we build infrastructure, we’re basically writing programs that automate the infrastructure. My team writes the automation of this infrastructure as code and we also write tests to prove that we’re doing actually what we’re doing. So we can go to someone and say, “Your infrastructure is working exactly the way it was designed or it’s not because someone changed it and let’s figure out why.” Suddenly these tools give businesses a lot more visibility into what’s going on with their infrastructure or why things are changing.
Considering the emphasis the HIPAA omnibus rule places on breach notifications and the factors used to assess the risk to PHI mitigated by covered entities, the documentation provided by cloud-services developers detailing their systems and processes should make the challenge of both remaining HIPAA compliant and cost-efficient less burdensome moving forward.
“The tests that we’re writing are readable in plain English and definable by the business. They can see exactly what they’re doing — what’s out of compliance or in compliance — and make decisions like that,” explains Rocamora. “It has helped people who are not technical visibility into what really is happening on the technical side of things, which is helpful to increasing efficiencies in any kind of organization.”
With less than a month having passed since the publishing of the HIPAA omnibus rule, healthcare organizations and providers are still making sense of what the final ruling means their business practices and organizational workflows. And with little more than six months remaining until covered entities and their partners are required to be compliant, further understanding of the implications of the ruling will push organizations to revisit the idea of migrating to the cloud.