Healthcare organizations adopt innovations at a fast speed, and cloud computing is no exception. Offering scalability, cost-efficiency, and flexibility — everything needed to make data storage easy and convenient, cloud solutions are very promising for the sector. At the same time, they are still facing numerous security risks, so before deciding on this option, healthcare providers must learn how regulations applied in the industry influence the implementation of such solutions. And most of the attention has to be paid to HIPAA compliance.
This post aims at showing how HIPAA-HITECH impacts the migration to, the development and adoption of cloud solutions. Nevertheless, let’s start with some statistics on cloud solutions used by healthcare organizations.
Cloud Solutions in Healthcare — Statistic Data
The first thing to mention here is that cloud solutions gain popularity among health organizations of various sizes. As a study conducted by HIMSS Analytics shows, 65% of healthcare organizations in 2017 took advantage of cloud or cloud services. The most popular services defined were SaaS (software as a service development), disaster recovery, and cloud hostings. 84% out of 50 respondents from the largest healthcare organizations in the US stated that they use cloud services for IT and administrative functions (81% out of 84%), for analytics (57% out of 84%), and clinical applications and external data sharing (40,5% out of 84%). At the same time, and 74% out of 50 respondents expressed their wish to move existing or new workloads to the cloud. The study showed that the most common use of the cloud among these organizations is for hosting analytics applications and data: 48% of organizations dealing with cloud providers did it for storing data, including patient healthcare data (PHI). So there’s no surprise why adherence to regulatory requirements such as HIPAA and HITECH topped the list of factors that were considered by these organizations when they decide on a cloud service provider. HIPAA HITECH compliance was marked as the top priority for 54% of these organizations, followed by the willingness to meet BAA requirements —38%, and then technical security —32%.
So what is HIPAA compliance and why it is so important for cloud service – healthcare organization relations? Let’s try to find this out.
How Introduction of HIPAA-HITECH Affected Cloud Adoption
To start with, let’s define HIPAA.
The act touched various healthcare providers, as well as clearinghouses and healthcare plans — all gathered under the notion ‘covered entities’, as defined above.
10 years ago business associates were added to this list. This means the act was extended with service providers or individuals who somehow deal with protected by HIPAA information on behalf of the covered entities. The extension to the act was introduced by the Health Information Technology for Economic and Clinical Health (HITECH).
According to the HITECH extension, any covered entity must sign a contract with a cloud service provider before patient health information (PHI) will be uploaded to the cloud. Such kind of contract is known as BAA (business associate agreement) — aimed at establishing allowable uses and terms concerning disclosures of protected information. It is important to note, that BAA is applied to cases when a cloud service provider does not have a key to unlock the encryption, meaning that the service covers only storage of encrypted PHI. But still, there is an exception: it is when a cloud provider service is limited by storage, processing, transmission, and maintenance of the de-identified protected information.
It is also worthy of noting that the introduction of the HITECH Act also dramatically influenced HIPAA penalties. Today they are as shown below.
The extension also obliged business associates to notify OCR ASAP in case any breach that affects more than five hundred people happens. A breach notification map is below.
But how breaches appear? Here are the main types of HIPAA breaches:
And here is where cloud solutions came into play, allowing to secure endpoints. Nevertheless, things aren’t that simple, because the cloud storage itself is supposed to be HIPAA compliant and adhere to privacy rule and security rule.
Requirements for Cloud Providers Offering Services to Healthcare Organizations
Three initial elements make a cloud service provider HIPAA compliant. These are security, privacy, and breach notification. Each of them is described below in more detail.
But is it just cloud vendor who’s responsible for adherence to these requirements?
HIPAA: Who Must Comply?
Even though a cloud service provider offering services to organizations that deal with ePHI must comply with HIPAA-HITECH regulations, a healthcare organization that requests cloud services must also take steps to become HIPAA compliant. It is a customer who needs to make sure that the organization it represents has an adequate compliance program and internal processes in place. In other words, HIPAA compliance is the responsibility of both — a customer and a cloud vendor.
Choosing a Vendor
When a healthcare organization decides on implementing some kind of a cloud solution, choosing a provider is not as easy as it may seem first. Since both HIPAA HITECH compliance and BAA are required, the organization has to make sure that the vendor is trusted, reliable and adheres to the HIPAA regulations. For this reason, the most popular options are often represented by the world-known providers, three of which are described below.
The company is known for providing some of the best security tools in the industry and is actually at the forefront in terms of compliance with HIPAA HITECH. It offers BAAs for most of its applications, including Office 365 mail, file storage, and calendars. Nevertheless, the company states that although it offers BAA to support its clients’ HIPAA compliance, it is the client who is responsible for having an adequate compliance program and internal processes in place.
Although not all Google Cloud products are HIPAA compliant, the infrastructure of Google Cloud Platform is covered. Furthermore, Google offers BAA for G Suite applications. These include Gmail, Google Calendar, Google Docs, Google Sheets, Google Slides, and Google Forms. The model of HIPAA compliance offered by Google is shared responsibility.
Amazon — one of the fastest-growing companies offering cloud services in addition to many others, offers BAA for its web services. Nevertheless, the configuration of a HIPAA compliant cloud storage is the client’s responsibility: Amazon just provides a quick guide. The same as Google Cloud Platform, Amazon offers a shared responsibility model.
At Elinext, we have enough experience in delivering cloud solutions for a range of healthcare organizations. If you have any questions concerning HIPAA compliance, cloud migration or any other related service, feel free to contact us at any time.