- Cloud computing is quickly becoming a popular option for healthcare organizations, including both covered entities and business associates. Offsite storage can aid data security measures, but the information can still be accessed from numerous locations.
Additionally, cloud options can assist in remote offices, as employees can still log in to databases or network systems from somewhere outside the main business.
However, patient data security needs to remain a top priority. Not all cloud computing options may be ideal for every healthcare organization, and entities need to ensure that privacy and security is not compromised simply for convenience sake.
What should covered entities and their business associates consider with cloud options? How do business associate agreements (BAAs) come into play with these technologies? What does HIPAA require in terms of cloud computing?
HealthITSecurity.com will review these top areas of concern and also show how some providers have implemented cloud computing in the past year, while maintaining data security. We will also discuss how federal regulations have been modified to account for cloud options, helping industry stakeholders understand how to find the right balance between innovation and security.
Recent guidance on healthcare cloud security
As previously mentioned, HHS released updated cloud computing regulations earlier this year. The guidance was designed to help covered entities and business associates take advantage of cloud computing but while staying HIPAA compliant. Cloud service providers (CSPs) should also understand HIPAA regulations and how those rules potentially apply to their organization.
“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA,” the guidance explained. “Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.”
Business associate agreements are essential in the relationship between covered entities or business associates and the CSP, HHS maintained.
Each party will be “contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”
A BAA is important because it establishes the permitted and required uses and disclosures of ePHI that a business associate can perform, HHS stated. This could differ depending on the relationship between the parties or the activities and/or services that the business associate needs to perform.
HHS also noted how a service level agreement (SLA) might assist in addressing more specific business expectations between the CSP and its customer.The provisions could cover the following areas:
- System availability and reliability;
- Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
- Manner in which data will be returned to the customer after service use termination;
- Security responsibility; and
- Use, retention and disclosure limitations.
Data encryption was also a key aspect of the cloud computing guidance. CSPs should know that it is still considered a HIPAA business associate if it only stores encrypted ePHI and does not have a decryption key.
An organization is still a BA under HIPAA regulations even if it cannot actually view the ePHI it is maintaining for a covered entity or fellow BA.
Data encryption can help reduce the risk of unauthorized access, but it is not enough by itself to maintain ePHI security, according to HHS.
“Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.”
Healthcare cloud offers secure storage and more for entities
Having secure storage options for patient data is just one potential benefit of cloud computing, along with hardened database security, and optimized organizational performance.
Earlier this year, HealthITSecurity.com spoke with National Kidney Registry (NKR) Director of Education and Development Joe Sinacore about how NKR recently made moves to improve its cloud storage.
NKR worked with Rackspace for healthcare cloud options, Sinacore explained, and said that as the organization grew they realized it was time to change how it stored patient data.
“We realized that in order for us to continue to grow we couldn't just simply have servers sitting in our own little data center without us starting to invest a significant amount of money into building out a more robust data center,” Sinacore said. “We also needed to hire people to operate it.”
NKR first migrated its email server, and then moved its servers for other operations.
“We came up with a generic business associate agreement and told all our transplant centers we're going with this now,” Sinacore recalled. “At the same time, we installed a HIPAA compliant server at Rackspace that Rackspace provides. It has a service that provides and it monitors all of the data going in and out through the firewall to make sure that we're not exposing any of this personal information to the wrong people.”
Cloud computing can also assist healthcare organizations with their disaster recovery planning, as Florida-based NCH Healthcare System did. Director of Radiology Jim Bates told HealthITSecurity.com earlier this year how NCH strengthened its data security approach with a comprehensive disaster recovery plan with image archiving.
“We were searching for the right combination of equipment, archiving, image transfer, etc.,” he said. “We were doing our due diligence, and visiting other hospitals that already implemented PACS, and it became quite apparent that the archive was a huge part and also probably the weakest link. As the archive materials changed – tape or DVD for example – everybody had a different view.”
NCH renewed its services with Dell, Bates said, and the provider has two offsite locations that it uses to store images.
Utilizing the cloud boosts data security, and lets clinicians access the images whenever they need, Bates explained. Patients also benefit, as they no longer have to bring their own images with them on visits.
Bates added that NCH’s unified clinical archive (UCA) consists of local onsite storage, which is also backed up by redundant offsite archiving. NCH also complies with the Digital Imaging and communications in Medicine (DICOM) standard in terms of secure handling, storage, and transmission of medical images.