The HIPAA (Health Insurance Portability and Accountability Act) safeguards the individuals against the unauthorized access and use of their health information.
Under HIPAA, the health information when transmitted, received, or stored in the electronic form is called ePHI (electronic Protected Health Information). The establishments that are expected to be HIPAA compliant are called covered entities and business associates.
Recommended Reading: What is HIPAA and Why Is It Important?
Similar to a majority of industries, the healthcare industry is also making a move to the cloud. However, it is unclear for many health institutions as well as the cloud provider of the procedure and rules they should follow to store the ePHI on the cloud.
The U.S Department of Health & Human Services (HHS) has clearly defined the roles and responsibility of a cloud service provider transmitting, receiving, and storing ePHI as well as hosting any health-related application concerning ePHI.
As per HIPAA rules, if the covered entity or business associate avails the facility of a cloud service provider to transmit, receive, or store ePHI, the provider will be considered as a business associate under the HIPAA rules.
However, prior to availing the cloud services, the covered entity or business associate is expected to enter into a Business Associate Agreement (BAA) with the cloud hosting provider. The agreement contains the clauses and the procedures that the cloud hosting provider is expected to implement in their services in order to be HIPAA compliant.
Here are some questions you should ask yourself while look for in a HIPAA compliant hosting provider.
1. What security policies and safeguards does the cloud provider implement?
For HIPAA compliant covered entities and business associates, security is the paramount concern. The HIPAA Security Rule clearly defines the responsibility of the covered entities and business associates to protect the private and confidential ePHI of the individuals. Not able to comply with the Security Rule leads to heavy penalties by HHS.
The cloud hosting providers, as business associates, are legally obligated to uphold the HIPAA rules. Hence, it is essential for each HIPAA compliant hosting provider to implement advanced security procedure in their setup to ensure total protection of ePHI.
However, while choosing a hosting provider, the covered entities and business associates must also keep in mind the security parameters that the HIPAA expects them to follow. The cloud provider must deploy data encryption for transmission of ePHI.
Other security safeguards may include multi-factor authentication, strong password policy, Intrusion Detection and Prevention Systems (IDS & IPS).
2. Where will the data be hosted?
The cloud hosting providers store the ePHI in cloud servers that are kept in remote data centers. However, it is advised to pick the HIPAA compliant hosting provider closest to your location or at least in the same country.
The cloud providers can host the ePHI in data centers that might not be in the same country. However, they provide you with access to your data through an internet connection, certain parameters make the hosting in such data centers ill-advised.
The most important parameter is security. Hosting your data in another nation that do not have strict data protection rules could be fatal as the cyberattacks in such regions are more frequent and rarely mitigated.
Another parameter could be the latency experienced in accessing the data due to the distance between the data center and the end-user.
Note – As per HIPAA, there is no restriction regarding the geographic location of the data center as long as the covered entities or business associates have a Business Associate Agreement with the cloud provider.
However, the OCR (Office of Civil Rights) recommends the covered entities and business associates to refrain from hosting the ePHI in data centers outside of US as it may include high risks.
3. What level of support does the cloud provider offer?
Customer support is essential to the optimum functioning of any process. The health-related applications and online portals related to the ePHI are no different.
The individuals seeking medical treatment are provided with access to the apps and online portals by the healthcare institutions. These apps are created by the institutions to streamline their process and hosted on the cloud to make the ePHI available to the individuals at all times.
The people expect the apps or online portals to be always accessible. There is no telling when an individual might need his/her health information. Hence, as a medical establishment, it is recommended to choose a HIPAA hosting provider that offers dedicated support to the customers.
Apart from dedicated support, the cloud provider should also have a minimal response as well as resolution time ensuring that the individuals always get access to their information.
4. What is the SLA guaranteed uptime offered by the cloud provider?
In addition to the Business Associate Agreement, the covered entities and business associates must also sign up a Service Level Agreement (SLA). The SLA does not have any clauses related to HIPAA compliance. However, it mentions the level of service the hosting provider is expected to deliver, the terms and conditions related to hosting such as the duration of the agreement.
The cloud provider also guarantees an uptime in the SLA which defines the duration throughout the year for the services to be functional.
Before choosing a hosting provider, every covered entity and business associate should go through the SLA thoroughly.
5. Does the cloud provider implement Business Continuity?
The cloud providers implement Business Continuity in their services to ensure data availability and restoration even in times of a disruptive event. Any event that can hamper the performance of your application or can cause loss to the ePHI can be termed as a disruptive event.
Business Continuity is a proactive approach that implements processes such as Risk Analysis, Crisis Management, and Disaster Recovery to not only mitigate any damages caused by the disruptive event but also identify and prevent it.
For instance, the Disaster Recovery Plan enables the protection of data in times of a disaster such as an earthquake. It involves backing up the data in multiple geographical locations such that the data can be restored from one location if a disaster hits other.
HIPAA compliant hosting provider should be chosen wisely!
If any establishment falls under the category of covered entities or business associate under the HIPAA laws, it needs to be fully aware of the rules and regulations. Moreover, if the same decides to migrate the ePHI to the cloud, the hosting provider must adhere to the HIPAA regulations as a business associate.
Apart from following HIPAA rules and regulations, there are some other traits of a cloud provider that are critical for storing of ePHI. The provider must offer a secure environment for storing, transmitting, or receiving ePHI as it highly confidential data containing the personal health information of individuals.
The customer support should be efficient and constant to ensure swift resolution of issues. It is preferred if the data center in which the cloud servers are hosted is in the US. It ensures strict data protection laws and fewer cyberattacks. Analyze the SLA and the uptime it guarantees before making a decision to ensure high availability.
Data protection is important! Ensure that the cloud provider implements Business Continuity and Disaster Recovery to keep your data safe even in times of a crisis.
Do you know some other aspects critical for HIPAA compliant hosting? Do tell us in the comments section.