In our article last week we discussed when a cloud-based phone provider is considered a business associate. For many healthcare organizations, whether or not to take a walk on the cloud side of computing solutions may be a difficult decision. Specifically, questions may come up such as: what are my obligations if we choose to utilize cloud computing solutions? What does HIPAA require of me?
We will take a closer look at what the U.S. Department of Health & Human Services (HHS) guidance states, and help you and your organization feel comfortable with your HIPAA obligations with respect to cloud computing.
Cloud Computing Solutions
There are a variety of cloud computing solutions organizations consider using. Generally, cloud computing means organizations have online access to shared computing resources and varying functionality. Common cloud computing solutions include:
- Electronic Health Record (EHR) systems
- Software solutions
- Applications
- Data storage
- Telecommunications
HIPAA Obligations
Under the HIPAA Privacy, Security, and Breach Notification Rules require healthcare organizations to safeguard protected health information (PHI) that they create, receive, maintain, or transmit. In addition, healthcare organization must limit uses and disclosures of information, prevent inappropriate uses and disclosures, and ensure individuals' rights to their health information are protected. It's important to note: Covered entities and business associates must comply with the applicable provisions of the HIPAA Rules.
Ad HIPAA Facts about Cloud-based Computing
Below is a list of seven HIPAA facts about cloud-based computing solutions and obligations of healthcare organizations that choose to use them:
- Healthcare organizations that engage a cloud-based service provider (CSP) should understand the environment or solutions being that is being offered by a particular CSP. For example, if you are using a cloud service to store electronic protected health information (ePHI) you should address the choice to do so as part of your security risk analysis (SRA) and ensure you have appropriate policies and procedures in place to ensure the confidentiality, integrity and availability of the ePHI that is stored by the CSP.
- Healthcare organizations should have a business associate agreement (BAA) in place with a CSP who maintains (stores) ePHI on their behalf. According to HHS, if a covered entity or business associate uses a CSP to maintain (e.g., to process or store) ePHI without entering into a BAA with the CSP, the covered entity or business associate is in violation of the HIPAA rules.
- CSPs that provide services on behalf of a healthcare organization are not exempt from required HIPAA Rules. This is true if the CSP meets the definition of business associate; meaning, a CSP that creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate. According to HHS these CSPs must comply with all applicable provisions of the HIPAA Rules, regardless of whether it has executed a BAA with the entity using its services.
- If a CSP experiences a security incident or suspects a breach involving a healthcare organization's ePHI the incident must be reported to that organization. Specifically, under the HIPAA Security Rule, CSPs who meet the definition of a business associate are required to identify and respond to (e.g., notify covered entity) suspected or known security incidents; mitigate, to the extent possible, harmful effects of security incidents that are known to the business associate; and document security incidents and their outcomes.
- Healthcare providers are permitted to use mobile devices to access ePHI. This is also true as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the ePHI.
- CSPs must understand whether to return or destroy hard copy PHI (e.g., paper) and ePHI when no longer providing services to your organization. While HIPAA Rules generally do not required a business associate to store ePHI beyond the time it provides services to a healthcare organizations, the HIPAA Privacy Rule does requires a BAA to return of destroy PHI at the termination of the BAA where feasible.
- All employees who are permitted to access, create, maintain, modify, or store ePHI in the cloud must understand how to safely do so. For example, your organization may have a policy in place that requires employees to only access or store ePHI while using your network, and refrain from accessing ePHI from public networks.
Conclusion
Cloud based solutions are common place and are widely available to healthcare organizations. Choosing to utilize cloud based solutions such as an EHR, an application or data storage is feasible as long as you understand your obligations and the obligations of the cloud based service provider.
If you have any additional questions please do not hesitate to contact us by email: [email protected] or by phone: 855-427-0427.