How to Establish Secure HIPAA Compliance in the Cloud in 2021
Companies operating in the healthcare industry are required to conform to regulatory standards regarding the processing and security of protected health information (PHI). Specifically, U.S. businesses are required to comply with the guidelines defined in the Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996. Failure to follow HIPAA standards can lead to substantial financial penalties for the offending organization.
The cloud offers a secure platform on which companies can host part or all of their computing environment. Taking advantage of the cutting-edge technology implemented by cloud hosting providers can provide more security than an on-premises implementation. Since data security is an essential component of HIPAA guidelines, the question is whether HIPAA compliance is possible to establish with a public cloud provider.
This article will answer that question. Spoiler alert: The answer is yes if done correctly. We are going to look at the essential components of a cloud hosting solution that are necessary to ensure HIPAA compliance.
What Do HIPAA Regulations Require?
HIPAA’s objectives are to ensure that Americans can keep their health insurance when changing jobs and to maintain the privacy of PHI by defining enforceable controls with which to hold organizations accountable. Meeting the first goal simply required the legislation to be passed and did not present any substantial hurdles to be negotiated.
Discussions around HIPAA compliance are primarily concerned with the security and privacy of PHI. Two main rules specify how PHI must be handled. They are the HIPAA Privacy Rule and the complementary HIPAA Security rule. Some terms need to be clearly defined to understand the details of these rules and how they apply when complying with them.
- PHI - Protected health information includes any medical information that contains identifying elements such as the name and Social Security number of a patient. Electronically stored PHI is referred to as ePHI.
- Covered Entity - Covered entities are organizations that handle PHI or e-PHI during day-to-day business operations. These entities must follow HIPAA guidelines which are enforced by the U.S. Department of Health and Human Services (HHS). Covered entities include healthcare providers, health plans, and clearinghouses such as medical record transcription services.
It may be of note that technology companies are not required by law to meet HIPAA standards. That’s why some companies can offer technology that is not compliant. The onus then, is on the covered entity to be educated and only select technology that is HIPAA-compliant.
- Business Associate - Business associates work with covered entities to handle PHI and ePHI. They are also required to comply with HIPAA security and privacy guidelines.
The HIPAA Security Rule is the centerpiece of HIPAA guidelines and outlines three sets of safeguards that need to be followed when implementing policies and procedures that process PHI and ePHI.
- Physical safeguards specify the physical controls implemented related to digital devices that store PHI. It includes ensuring that replaced or obsolete ePHI media is securely destroyed, limiting access to devices that contain ePHI to authorized personnel, and properly training third-party technicians required to repair equipment storing PHI.
- Technical safeguards refer to the technical characteristics of computers and devices used to transfer ePHI. Systems need to implement enhanced network security, firewalls, and strong authentication protocols at a minimum.
- Administrative safeguards define how covered entities set up employees’ policies to conform to the specifications of the HIPAA Security Rule. It includes employee training so individuals understand what they can access and how they can use PHI.
There is tremendous diversity in the covered entities and business associates that are expected to comply with HIPAA guidelines. Some are small doctor’s offices with no in-house information technology (IT) support. Others are large corporations with dedicated data centers. A common characteristic of these very different entities is that they need a HIPAA-compliant solution for processing PHI. Many of them turn to the cloud for a solution.
The Ingredients of a HIPAA Compliant Cloud Hosting Solution
According to the latest healthcare trends, the cloud has become an attractive option for many companies attempting to successfully comply with HIPAA rules. But not all cloud solutions are capable of meeting the safeguards defined in the HIPAA Security Rule. The following are some of the essential server features required to provide users with a HIPAA-compliant cloud hosting solution:
- A highly available infrastructure that includes an uptime service level agreement (SLA) to protect you if the provider fails to maintain system accessibility. The majority of entities associated with the healthcare industry cannot tolerate an extensive outage. Stipulating server uptime in the contract minimizes unpleasant surprises later on.
- Fully managed security firewall added to the server hosting ensures there is no unauthorized access to your system. As indicated in the US Department of Commerce’s NIST firewall guidelines (Special Publication 800-41), and as expanded by TechTarget, five primary types of firewalls are application-level gateways (proxies), circuit-level gateways, multilayer inspection firewalls, packet-filtering firewalls, and stateful inspection firewalls.A critical aspect of protecting the privacy and security of PHI is to make sure that only authorized personnel have access to the data. Getting detailed information about the location of the technology is also important. Having a server in Eastern Europe for example, is problematic if you are a US-based company and you learn that your data has been compromised. One country’s laws cannot protect a business owner if you allow your data to be stored in a foreign country.
- Encrypted and strong virtual private networks (VPNs) are essential for HIPAA compliance. Data needs to be encrypted during transmission to comply with HIPAA guidelines. Encrypting at rest is considered best practices as well since you are required to either encrypt at rest or utilize an alternative.
- Onsite and offsite backups of data are necessary to fully protect electronic medical records and ensure that systems processing ePHI can be recovered quickly in case of failure without data loss. Offsite backups should also be located in the country of the company being served. Backups also need to be encrypted to prevent PHI from being accessed from backup media by unauthorized users.
- Anti-malware protection is an important feature your cloud hosting providers should address. Keeping your environment free of malware and viruses is an essential component of affording PHI the level of security it requires.
- Multi-factor authentication provides enhanced protection over enabling access to protected systems with a simple user ID and password. Taking this precaution eliminates the risk of unauthorized access being gained due to weak passwords.
- A HIPAA-compliant environment needs to be segmented from other customers of your cloud hosting provider. Experienced vendors are better suited to design a private environment that protects PHI and keeps you compliant with HIPAA standards. When negotiating with a hosting company, it is in your best interest to avoid having your information stored on servers that are shared with other companies to avoid contamination from neighbors. This would be usually considered Shared Hosting. Ensure to ask how your data is separated if you are using any software as a service (SaaS) offerings as this could be occurring.
- Secure socket layer (SSL) certificates for all servers, domains, and subdomains in your environment that contain ePHI.
- Availability of a business associate agreement (BAA) to define the role of your partners in protecting PHI. This document does not eliminate the covered entity’s responsibilities to protect PHI but is useful for identifying the roles each organization takes in the event of a data breach.
These points are some of the aspects of a cloud vendor that is able to deliver a fully HIPAA-compliant environment.
These are some additional characteristics of a reliable HIPAA-compliant cloud provider that should help you determine the right one for your needs. Look for these features when selecting a cloud provider for HIPAA-compliant web hosting.
- Operating system platform versatility - Some providers only offer HIPAA compliant systems running on the Microsoft Windows platform. This can be a problem if you have Linux servers in your environment. Look for a provider that can handle either platform to fully cover your computing landscape. Also be aware that some systems can be considerably more expensive than others. For example, Microsoft servers are often considerably more expensive than Linux servers due to the additional licensing that is required from Microsoft and the additional resources that Windows Server requires.
- The Health Information Technology for Economic and Clinical Health (HITECH) Act addresses the privacy and security concerns associated with the electronic transmission of health information. Look for a hosting provider that has been audited by a third party and successfully demonstrated their compliance with HITECH.
- SOC 2 TYPE II and SOC 3 TYPE II certification that demonstrates that the provider has passed the relevant tests to prove they are implementing the security and availability guidelines mandated by HIPAA.
If done correctly with the assistance of an experienced provider, the cloud can furnish a safe and HIPAA-compliant environment for processing PHI. Use a checklist from a reliable vendor to ensure that all bases are covered. If a given provider cannot meet the demands laid out in the checklist, search for a better alternative. They are out there and can deliver the HIPAA-compliant environment you need.