![]() ![]() For example, if the SLA does not guarantee near-100 percent uptime, is the CE maintaining “availability” of PHI as it must? Does the SLA include sufficient protections against the potential effects of a ransomware attack? ![]() Not everyone is welcome to inspect the cloud storage facilities, so CSPs commonly conduct third-party audits and share the reports (such as system and organization controls reports) with customers.Ī CE needs to confirm that a CSP’s service-level agreement does not conflict with HIPAA compliance. What does a CE need to do to confirm that a healthcare CSP is in compliance?Ī CE must confirm to its satisfaction that technical issues, such as potential malware attacks, are dealt with appropriately and that administrative and physical safeguards are in place regarding physical security and contingency planning (for example, data center redundancy to deal with potential natural disasters or other emergencies). That does not change if the PHI is encrypted. The CSP is responsible, under the HIPAA regulations, for maintaining the integrity and availability of the PHI. What are a healthcare CSP’s obligations with respect to encrypted PHI? Most, if not all, commercial CSPs willing to sign a BAA with a CE will require that PHI be encrypted before being stored on the infrastructure. Is your healthcare cloud actually storing patient health information?ĭe-identified data is not PHI, but encrypted PHI is still PHI. A HIPAA Compliance Checklist for Healthcare Cloud Storageīeyond these considerations, there are some less obvious issues to consider: Once we describe a CSP as a BA, many other requirements flow naturally: The CE and the BA must have a business associate agreement (BAA) in place the CE needs to understand the BA’s cloud environment for purposes of its own risk analysis both the CE and BA need to hold up their ends of the bargain in terms of implementing security controls and so on. Some in the regulated community had posited that a CSP could be considered a “mere conduit” (a recognized exception under the HIPAA regulations), but OCR made clear that this is not the case. This means that CSPs storing PHI are subject to HIPAA and need to have appropriate administrative, physical and technical controls in place to address the requirements of the HIPAA Security Rule. It frames the issues that the regulated community needs to consider when employing cloud computing for storing, using or sharing protected health information (PHI) in a HIPAA-compliant manner.Ī covered entity (CE) under HIPAA (for example, a healthcare provider or payor) needs to treat the cloud storage provider (CSP) as a business associate (BA). Today’s example is the 2016 OCR guidance on cloud computing. The Department of Health and Human Services’ Office of Civil Rights (OCR) has done a good job over the years in terms of releasing guidance documents that help explain the applicability of HIPAA regulations to real-world situations. If one were to insist on new rules every time technology advances, we would be perpetually rewriting rules and never catch up. They may have been written before the realities of application programming interfaces and cloud computing, but that does not mean that HIPAA cannot accommodate new technological developments. While many in the industry may rail against “antiquated” HIPAA rules, it is worth noting that they are extraordinarily flexible. SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks! The Basics of HIPAA-Compliant Cloud Storage By gaining a better understanding of how to store data effectively, securely and compliantly in the cloud, providers can take the first steps to catching up with other industries. ![]() While cloud storage can be helpful and healthcare cloud adoption has grown exponentially, a survey conducted by Bitglass found it is trailing behind other industries thanks to HIPAA regulations. This move can help them prepare for precision medicine and population health, which requires reams of data and a complex infrastructure for analytics and storage - all of which can be best accomplished in the cloud. This is particularly true as healthcare providers pivot to cloud storage, in addition to on-premises options. ![]() As healthcare professionals continue to embrace digital technologies to safeguard their patients’ information, there is an industrywide need to ensure digital ecosystems are compliant with the Health Insurance Portability and Accountability Act. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |