We get it. It seems like only yesterday, you were enjoying a well-deserved summer vacation. And now – out of nowhere – you’re gearing up for a slew of holiday activities. But there is one last item on your To Do list that must be completed before you close the books on 2105 – selecting a HIPAA-compliant cloud provider. Since there are numerous cloud providers that claim to be HIPAA compliant, it’s tough to determine which ones can safeguard your sensitive patient information while adhering to compliance mandates as prescribed by HIPAA. And since HIPAA compliance requirements tend to be – shall we say – a bit cloudy, it can be difficult to accurately vet the services of different cloud providers. Not to worry – HOSTING has your back. Read on to learn three key steps for evaluating HIPAA compliant cloud providers.
Step 1 – Learn the requirements for becoming HIPAA compliant
HIPAA is one of the most difficult compliance postures to achieve. This is due in part to the fact that it was introduced in 1996; pre-dating the rise of consumer Internet and the evolution of mobile devices. The HITECH Act, passed in 2009, was designed to bring HIPAA into the Internet-era by allowing technology providers to host sensitive data on their external platforms. HIPAA compliance is also not prescriptive – there is no guidebook for how to achieve it. However, if you take the time to understand the four HIPAA “rules,” you will be in a better position to evaluate a potential cloud provider’s knowledge.
Simply put, Covered Entities (CEs) and their Business Associates (BAs) need to ensure the privacy, security and availability of protected health information (PHI) at all times. In order do so, they must address four specific rules:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
TIP: Our blog post, How Does My Organization Become HIPAA Compliant?, provides a detailed overview of all four of these HIPAA rules.
Step 2 – Have a solid Business Associate Agreement (BAA) in place
Before engaging with any cloud provider that claims to be HIPAA compliant, be sure they will readily sign a Business Associate Agreement (BAA). What exactly is a BAA? Under HIPAA, a BAA is a contract between a CE and BA that assumes mutual responsibility for protecting PHI in accordance with HIPAA guidelines.
Cloud providers that claim to be “BAA-friendly” should be aware of the Omnibus Rule of 2013. An addendum to HIPAA, it clearly defines the responsibilities that third party providers have in regards to safeguarding PHI. The Omnibus Rule requires compliance from an entity that “creates, receives, maintains or transmits PHI on behalf of customers that are healthcare providers, health plans or health clearning houses.”
Why is this important? Because some cloud providers try to skirt around their responsibility for safeguarding an organization’s PHI by evoking the following BAA “loopholes.”
- Janitor Clause – HIPAA provides exception to organizations whose functions or services don’t involve disclosing PHI at all, but may have incidental access to it. For example, a janitor who works at the hospital would be excluded from any liability around PHI.
- Conduit Clause – HPAA provides exceptions to specific individuals or entities such as postal workers who may deliver mail that includes PHI.
TIP: As a trusted HIPAA compliant cloud service provider to nearly 200 healthcare organizations, HOSTING readily signs BAAs as a standard practice. Our Chief Legal Officer, Steve Yoost, provides information on what to look for in a cloud provider’s BAA in his webinar, Understanding Your Cloud Service Provider’s BAA.
Please note – while Steve is a well-respected lawyer, he’s not your lawyer. HOSTING recommends that you review and discuss any legal matters pertaining to Business Associate Agreements with your own legal counsel.
Step 3 – Ask about audits
Many cloud vendors claim to help you achieve and maintain HIPAA compliance, but are vague in sharing their processes. Have them review their platform and controls with you – both play key roles in HIPAA compliance. The provider’s controls should ensure you are complying with various aspects of the HIPAA structure. Their reporting should generate the information logs necessary to prove that you are HIPAA compliant in the event of an audit.
Speaking of audits – find out if the cloud provider itself has been audited. HIPAA doesn’t provide certifications, so any cloud provider can claim to be HIPAA compliant. However, many some providers, including HOSTING, undergo third party audits to assess which controls are in place and how they support the designated regulations. If the cloud provider has been audited, ask to see the results of their audits. Pay particular attention to how they may have addressed reported lapses in compliance.
Finally, ask the cloud provider if they offer 100% audit assurance. Only a few cloud providers such as HOSTING offer a complete range of compliant hosting services to satisfy organization’s HIPAA, PCI other compliance obligations. We are one of the only cloud providers to offer 100% audit assurance. This means that if you receive the HOSTING Assured Tier Compliance Services and any compliance issues with HOSTING’s services are discovered during a HIPAA or PCI audit, HOSTING will provide the additional investments in HOSTING services necessary to achieve compliance or issue a customer refund.
TIP: Download our complimentary white paper, HIPAA Compliance: What Every CEO Needs to Know, to learn about the risks and opportunities that healthcare organizations face when achieving HIPAA compliance. You can also read our blog post, Got a HIPAA Compliance Audit Coming Up? Here’s How to Prepare for It.
Led by our in-house Chief Information Security Officer (CISO), HOSTING offers managed compliance services, enabling organizations to measure, monitor and manage their risk. Our team of certified information security and compliance experts help customers understand their exposure as well as their regulatory and compliance obligations. They guide them through a reasoned, defensible compliance posture based on continual assessment, evaluation, response and reporting of security threats. Contact us today to schedule your compliance assessment.