Before cloud providers can be employed by healthcare companies for keeping or processing protected health information (PHI) or for developing web-based programs that gather, save, maintain, or transfer PHI, covered entities need to make sure the security of the services.
Even if a cloud computing system provider possesses HIPAA certification, or professes that their platform is HIPAA-compliant, it’s not allowed to use the platform with ePHI without doing a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A).
A risk analysis is important for the HIPAA compliance of cloud computing systems. After carrying out a risk analysis, a covered entity need to determine risk management policies with regards to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). The identified risks should be handled and minimized to a realistic and proper level. It won’t be possible to do a complete, HIPAA-compliant risk analysis except if the covered entity is completely aware of the cloud computing setting and the service made available by the platform service provider.
Cloud Service Providers are Considered as HIPAA Business Associates
A HIPAA business associate refers to any person or entity who operates in behalf of a HIPAA-covered entity, or provides services to a HIPAA-covered entity that gives access to protected health information (PHI) to perform the function.
The HIPAA description of business associate was altered by the HIPAA Omnibus Rule and now include entities that create, receive, maintain, or transmit PHI. The last two obviously apply to cloud computing platform providers. Therefore, a covered entity should enter into a business associate agreement (BAA) with the cloud service provider.
The BAA should be acquired from the cloud service provider prior to uploading any PHI to the platform. A BAA is still necessary even when the platform is just utilized for storing encrypted ePHI with the key to open the encryption not provided to the platform service provider. The only exemption is when the cloud platform is just utilized for storing, processing, maintaining or transmitting de-identified ePHI.
The BAA is an agreement between the covered entity and the service provider. The BAA should determine the permitted PHI uses and disclosures, declare that proper safeguards had been applied to stop unauthorized ePHI use or disclosure, and clarify all aspects of HIPAA Rules that apply to the cloud platform provider. Information about the contents of a HIPAA-compliant BAA may be acquired from the HHS here.
Cloud computing service providers and cloud data storage firms that have PHI access may be penalized for not complying with HIPAA Rules, regardless if the service provider doesn’t view any information stored in the platform. Take note that not all cloud service providers are willing to enter into a BAA.
A BAA Is Not the Only Requirement to Be HIPAA Compliant
Just getting a BAA for a cloud computing services will not guarantee a covered entity is HIPAA compliant. HIPAA Rules could still be violated, despite having a BAA. The reason is no cloud service provider is truly HIPAA compliant on its own. HIPAA compliance depends on the way the platform is utilized.
For instance, Microsoft signs a BAA for Azure; however it is the accountability of the covered entity to make use of the platform in a way that complies with the HIPAA. When a covered entity fails to configure or apply proper access controls, it will be in violation of HIPAA Rules and not Microsoft. Microsoft offers a BAA to help support HIPAA compliance, but using Microsoft services doesn’t by itself accomplish it. Your company is accountable to making certain you have a sufficient compliance program and internal procedures. Your need to align your use of Microsoft services with the HIPAA and the HITECH Act.
Penalties for Using the Cloud Without Complying with HIPAA Rules
The Department of Health and Human Services’ Office for Civil Rights already issued fines to HIPAA-covered entities which did not get business associate agreements prior to sending PHI to the cloud, or did not do any risk analysis or failed to manage risks.
St. Elizabeth’s Medical Center in Brighton, Mass agreed to pay OCR $218,400 in 2015 for potential HIPAA Security Rule violations after uploading PHI to a document sharing platform, without initially evaluating the risks of utilizing the service. Phoenix Cardiac Surgery agreed to pay OCR $100,000 for not obtaining a BAA from a calendar and email service vendor online before utilizing the service with PHI. In 2016, Oregon Health & Science University settled a $2.7 million penalty after being discovered to have stored ePHI in the cloud without first acquiring a HIPAA-compliant BAA.
How Healthcare Companies are Using the Cloud
A growing number of healthcare companies are using the cloud and its services. HIMSS Analytics conducted a survey in January 2017 about how 64 healthcare companies of varying sizes use of the cloud. The survey revealed 65% of healthcare companies already use the cloud or cloud services, not to mention smaller hospitals or those with less than 50 beds. The area where cloud use grew the most is in the use of software-as-a-service (SaaS), from 20% in 2014 to 88% in 2016, then disaster recovery, from 42% to 61%, and for hosting medical applications, from 52% to 63%.
A HIMSS/ClearData survey conducted on 50 participants from the biggest healthcare companies in the US showed that 84% of those companies are now using cloud services. 74% of them are intending to transfer current or new workloads to the cloud. 85.7% of the healthcare companies use cloud services for IT (which include hosting archived data, backups, desktop and server virtualization). 81% use the cloud for management functions (financial, HR, operational and back office applications). 57% use the cloud for analytics and 40.5% for external data sharing and clinical applications.
When questioned about the top factors considered when selecting a cloud service provider, the top reason selected by 54% of organizations was adherence to regulations such as the HIPAA and HITECH Act. Other reasons include the willingness to satisfy BAA requirements (38%) and technical safety measures (32%). When it comes to security, the main cloud vendors are thought to be the best option since they are able to employ the very best personnel and can give lots of resources to make sure platforms are protected.
Two of the commonly used platforms are Microsoft Azure and Amazon AWS. Amazon has been the primary cloud service provider, though Microsoft seems to be catching up based on the comparison of Azure and AWS here. The primary advantages of using the cloud were: Overall performance and dependability, ease of control, full cost of ownership, and infrastructure flexibility. Although there are obvious advantages, using the cloud isn’t without difficulties. The biggest issues for healthcare agencies were the cost/fees (47.6%), client service (33.3%), data migration and services (26.2%), and accessibility and uptime (23.8%).