The final omnibus ruling of 2013 is a reminder of the importance of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for covered entities (CEs) and their business associates managing protected health information (PHI). Though it may sound relatively straightforward, most healthcare providers have found that achieving HIPAA compliance is non-prescriptive and daunting – especially so for those who have no existing security processes or IT professionals to help guide them through the technical requirements.
To further complicate matters, each cloud service provider (CSP) has a different approach to developing and implementing cloud solutions for HIPAA compliance. As a result, many CEs believe mythical tales about HIPAA compliance in the cloud. Have you fallen prey? Below, HOSTING has busted five of the most common myths surrounding HIPAA compliance:
Myth #1 – “We don’t need a Business Associate Agreement.”
To ensure the security and confidentiality of PHI, HIPAA CEs and their Business Associates (BAs) who create, receive, maintain, or transmit PHI on behalf of CEs, as well as BAs and their subcontractors who create, receive, maintain, or transmit PHI on behalf of CEs, are obligated to sign a Business Associate Agreement (BAA) that directly addresses the security rules and regulations for compliance with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Simply put, a “chain of BAAs” is necessary and if your CSP isn’t willing to sign one, find one who will.
Myth #2 – “My company had a risk assessment for HIPAA compliance two years ago so we’re fine.”
If your company or BA has had a change in systems, an outage or even a minor security breach, you need to get an updated HIPAA compliance risk assessment. At a minimum, you should evaluate your current security capabilities annually to reassess vulnerabilities for PHI. This is a critical activity as HIPAA CEs are subject to random HIPAA compliance audits conducted by the Office of Civil Rights.
Myth #3 – “Some cloud providers are HITRUST certified, therefore we should only work with them for our HIPAA compliance needs.”
Among the Health Information Trust Alliance (HITRUST) certification, there are a number of prescriptive certification standards that exist for HIPAA compliance but none directly address the specific security controls for cloud hosting. HITRUST offers a common security framework (CSF) that can be used by cloud providers to secure PHI but, again, it is not the only CSF that can be prescribed when managing firewalls, patching and other security services for HIPAA compliance.
Myth # 4 – “I don’t care about being PCI Compliant. I only care about using cloud hosting solutions that help me achieve HIPAA compliance. “
Payment Card Industry Data Security Standards (PCI DSS) security controls can be easily leveraged for HIPAA compliance. PCI has more than 220 cloud-based security controls specifically designed to manage firewalls, patching, encryption and so forth. Because the HIPAA security provisions do not prescribe any technology controls for PHI in the cloud, it can be very challenging for a CE to understand which cloud services are sufficient to protect PHI in the cloud. Fortunately, PCI provides a common security framework for protecting sensitive data.
Myth # 5 – “We’re a HIPAA CE and need to have all our internal applications on a private cloud. But we’re not picky about which cloud service provider we use.”
Unfortunately, not all cloud providers run an entire technology stack. Therefore, they can’t fully guarantee that their HIPAA compliant private cloud is, in fact, always HIPAA compliant. From middleware to operating systems to network operations, there are six different levels within a technology stack that can be outsourced by a hosting provider which can compromise the safety of PHI.
To learn more about common myths of HIPAA compliance, check out our on-demand webinar, Who Told You You’re Compliant? Myths around Audits and Certifications, presented by Sean Bruton, Vice President of Product Management at HOSTING.