Perspectives On Cloud Computing And HIPAA Compliance In Healthcare
August 22, 2013
There is a fair amount of uncertainty about adopting cloud services in healthcare, especially around sensitive health data. While the federal government’s rules are complicated, we know for a fact there’s nothing inherently dangerous about the technology.
The term “cloud computing” popped up about five years ago to describe a relatively simple concept: the ability to consolidate and outsource computing resources to (often) external entities in order to take advantage of economies of scale, resulting in cheaper, more flexible, and more secure computing. Cloud computing enables many computing resources to be used much like a utility.
In the healthcare space there is a fair amount of uncertainty about adopting cloud services, especially around sensitive health data better known as protected health information (PHI). However, while the use of computing resources to store and share sensitive health data always merits a thoughtful approach, there is nothing inherently dangerous about cloud computing. Healthcare organizations should and can benefit as much as other sectors have from cloud computing.
One central point of uncertainty involved the application of the Health Insurance Portability and Accountability Act (HIPAA), which governs how healthcare organizations manage privacy, security, and potential PHI data breaches of protected health information.
Can healthcare providers choose to store protected health information (PHI) in the “cloud,” and why might they want to? Is a cloud service provider (CSP) a business associate under the HIPAA Privacy Rule? Does cloud computing remove the need for healthcare providers to worry about the data they store with a CSP? Can the government access PHI stored with a CSP for law enforcement and national security purposes? Can health care providers use general purpose, publicly available Internet services such as document, email, and calendar services to store PHI and still be in compliance with HIPAA?
Based on our interpretation of the law, in most cases a CSP would be a business associate under HIPAA’s Privacy Rule. Under the most recent version of the Privacy Rule, an entity that “creates, receives, maintains, or transmits protected health information (PHI)” in fulfilling certain functions or activities for a HIPAA-covered entity is considered to be a “business associate.”
Covered entities are required to execute agreements with their business associates – called business associate agreements (BAAs) – that set forth the permitted uses and disclosures of PHI. Business associates that subtract the services or functions requested by the Covered Entity must also execute business associate agreements with those subcontractors.
Most CSP arrangements with healthcare providers will involve the maintenance of PHI on the healthcare provider’s behalf. In cases where the CSP is merely “transmitting” PHI for a covered entity, whether the CSP is or is not a business associate will depend on whether it requires access on a routine basis to such PHI. The HHS Office for Civil Rights (OCR), which enforces HIPAA, recently clarified that entities transmitting PHI are business associates under the final terms of the HITECH omnibus final rule only if they require access on a “routine basis” to such data.
If a contractor is a “mere conduit” for transmission of PHI – e.g., like the “conduit” role the postal service plays when healthcare providers send paper records in the mail – then it would not be considered a business associate. An Internet service provider (ISP) is an example of a digital “mere conduit.” CSPs, on the other hand, typically perform functions that go farther than mere transmission services, such as storing, analyzing, reformatting or billing functions involving.
Healthcare organizations need to incorporate the cloud carefully into their HIPAA compliance regime. Ignorance has proven damaging in the past: The Department of Health & Human Services (HHS) has so far brought enforcement action against one healthcare provider that misused cloud computing services in such a way that it errantly made protected health information publicly available. And recently, a health care provider in Oregon gave notice to thousands of patients when it discovered that employees were using a cloud-based spreadsheet that contained PHI to keep track of patients.
There are far more examples though of compliant and productive use of cloud computing in healthcare. These FAQs are intended to help providers maximize the benefits of cloud computing, while remaining in compliance with their HIPAA obligations. Cloud computing can be a great business solution for many healthcare providers, but be sure you know all the facts before signing up.
At Environmental Intelligence, we have deep knowledge and experience with delivering Cloud Services to healthcare organizations while maintaining the highest levels of data security and HIPAA compliance. Contact us today and learn more about our Physician Focused. Patient Driven.® approach to Cloud computing and Disaster Recovery.