Does your doctor’s office store your personal health information in the cloud? As electronic health records become more commonplace, entities that must comply with the Health Insurance Portability and Accountability Act (HIPAA) are looking for ways to streamline storage and backups of all of these data. While the cloud seems like an obvious solution, is medical information safe there and how does cloud computing complicate HIPAA compliance?
A HIPAA Primer
Protected Health Information (PHI) includes a patient’s name, age, gender, prognosis, and payment for treatment. The Health Insurance Portability and Accountability Act (HIPAA) regulates how PHI is handled regardless of what form it takes: written, electronic, or oral communication. The HIPAA Privacy and Security Rules and Breach Notification Rule address how PHI must be protected while information is disclosed during medical care. Any entity that comes into contact with PHI must comply, especially these “covered entities”:
- Health Care Providers – hospitals, doctors, nurses, healthcare workers, and service providers
- Health Plans – Medicare, Medicaid, private insurance companies, and group plans
- Business Associates (BA) – third parties that handle data as a service such as billing, data analysis, data aggregation, and cloud service providers
Addressing Cloud Concerns
In October 2016, the US Department of Health and Human Services released a guideline to clarify if and how PHI may exist in the cloud. If a covered entity engages a cloud service provider to store, process, receive, transmit, or otherwise handle electronic PHI, the CSP is considered a business associate and must enter into a HIPAA-compliant Business Associate Agreement (BAA) outlining the permitted uses, disclosures, and safeguards. Service Level Agreements (SLA) should also be consistent with HIPAA regulations and address issues such as:
- System availability and reliability
- Data recovery and backup procedures
- Returning data to customer after service use termination
- Security responsibility
- Limitations on use, retention and disclosure
The new guidelines also address how PHI are transmitted in the cloud. While the value of encryption is noted, encryption alone is not sufficient HIPAA-compliant protection in the cloud. Administrative and physical risks must also be considered. BA are responsible for physical security of the data and servers as well as administrative safeguards. As BA, HIPAA requires cloud service providers to report security incidents relating to electronic PHI as defined in the guidelines:
A security incident means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Thus, a business associate CSP must implement policies and procedures to address and document security incidents, and must report security incidents to its covered entity or business associate customer.
BAA should outline the level of detail, frequency, and delivery method for such incident reports.
There are no specific rules for entities who store data with CSP located outside the United States. However the report states entities should carefully consider geographic risks to data if outsourcing a CSP, as risk analyses are required by the HIPAA Security Rule.
The US Department of Health and Human Services released new guidelines for healthcare-related entities doing business in the cloud. The October 2016 report outlined common questions and missteps made by covered entities who wish to store, transfer, or otherwise engage with a cloud service provider. CSP are considered business associates by HIPAA standards, and entities must enter into service level agreements and business associate agreements with cloud providers. Also, encryption is not enough when it comes to protecting electronic personal health information. CSP should outline physical and administration steps taken to ensure health information is kept confidential.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Governance and Enterprise Risk Management (Domain 2)
- Legal Issues: Contracts and Electronic Discovery (Domain 3)