Can Your Practice Use Cloud Hosting and Still Be HIPAA Compliant?
When it comes to personal medical information, HIPAA rules are set up to protect that information from getting into the wrong hands.
Unfortunately, in today’s world, hackers continue to attack businesses, government entities, and hospital and doctors’ offices. Long gone are the days of weird looking emails being sent to you that you could easily recognize and contact your IT department without clicking on it. Today, hackers can send emails that look so sophisticated that they fool just about anyone. The recent data breach due to the Google Docs scam is a prime example.
You want to be able to keep your digital files in your office. While it’s a noble pursuit, it’s becoming unfeasible in the long run. You’re going to continue to accumulate massive amounts of data, and you’re going to run out of space to hold it all.
With the widespread adoption of cloud computing, you might wonder if HIPAA approves of storing files using cloud service providers. Rest assured, the answer is yes. In fact, you might have a lot of questions about HIPAA and cloud hosting. Here are some answers to questions you might have about HIPAA codes and cloud hosting.
1. May a HIPAA-covered entity or business associate use a cloud hosting provider to store or process electronically protected health information (ePHI)?
Yes. If your practice enters into a HIPAA-compliant business associate contract or agreement (BAA) with the cloud hosting provider that will be creating, receiving, maintaining, or transmitting ePHI on its behalf.
It seems a bit jargon-y, by basically, if you come a written, HIPAA-approved agreement with a hosting provider, you’re good. The BAA is contractually obligated to create appropriate safeguards for protecting the ePHI. It goes without saying, however, that you should speak with your prospective cloud hosting provider to discuss the environment and solutions offered so that you can appropriately conduct your own risk analysis and establish risk management policies.
At the same time, the cloud hosting provider needs to assess any potential threats and vulnerabilities in your office that might compromise the integrity of their servers.
2. If a cloud hosting provider stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Yes, because the cloud hosting provider receives and maintains (e.g., to process and/or store) ePHI for your office. Just because the host doesn’t have an encryption key doesn’t exempt it from BAA status, therefore it still falls under HIPAA rules.
Putting it simply, if a cloud hosting provider – or any provider for that matter – maintains ePHI on your behalf, they fall under HIPAA rules. This is pretty clear cut.
3. Can a cloud hosting provider be considered a “conduit” like the postal service, and, therefore, not a BAA that must comply with the HIPAA rules?
Generally, no. Cloud hosting providers that provide services to your practice such as creating, receiving, or maintaining ePHI meet the definition of a BAA, even if they cannot view the ePHI because it is encrypted and the cloud hosting provider does not have the decryption key.
As explained in the second question, the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), such as the postal service. Since the postal service isn’t holding on to the information for an extended period of time, and they did not sign an agreement with you, they are not bound by HIPAA rules. Since cloud hosting providers store your information in such a way that it can be transmitted to your office computers or devices, they are covered under the HIPAA rule.
5. What if a HIPAA covered practice uses a cloud hosting provider to maintain ePHI without first executing a BAA with them?
If your practice uses a cloud hosting service to maintain ePHI without entering into a BAA with them, you are in violation of the HIPAA rules.
Further, a cloud hosting service that meets the definition of a business associate – that is a cloud hosting provider that creates, receives, maintains, or transmits PHI on behalf of your practice – must comply with all applicable provisions of the HIPAA rules, regardless of whether it has executed a BAA with the entity using its services.
If a cloud service provider becomes aware that it is maintaining ePHI, it must come into compliance with the HIPAA rules, or securely return the ePHI to your practice, or, if agreed to by both parties, securely destroy the ePHI. At that point, the cloud hosting provider is no longer a BAA.
End the guesswork about HIPAA cloud hosting and all the sleepless nights
You know your in-house servers won’t be able to hold much more, and it’s really expensive to buy more, if you even have space for it.
At Swift Systems, taking care of your sensitive information is a priority. That’s why we’ve partnered with SecurityMatrics, a leading provider of HIPAA and PCI compliance services, to offer you our Compliance as a Service plans. Our contracts include standard HIPAA policy and procedure templates, HIPAA training, and risk analysis. They also include all of the engineering time needed to help you complete your HIPAA risk assessment and create a risk management plan.
Swift also has a proven track record of providing virtual private cloud services for regional and Maryland business customers through our own state-of-the-art data centers. We make sure your data is safe every day, 24/7.
If you have any questions, or would like to know more about what Swift Systems can do for you, contact us and we’ll be more than happy to help you navigate HIPAA and cloud hosting.