The combination of cloud hosting and HIPAA compliance can be daunting for even the most seasoned healthcare IT professional. Further complicating matters? On January 25, 2013, the Department of Health and Human Services (HHS) published a new omnibus ruling that strengthened the HIPAA security rule mandated by provisions within the HITECH act. This rule specifically applies to safeguarding protected health information (PHI) in terms of how it’s stored, maintained or transmitted between a HIPAA covered entity (CE) and a business associate (BA) such as a cloud hosting provider.
To look at it from another angle, assessing and minimizing any security risks within a hosting environment upfront can not only alleviate the risk of potential security breaches but can also lessen the possibility of any associated monetary fines for noncompliance with HIPAA / HITECH security provisions.
So how does a healthcare organization assess whether or not it’s working with a HIPAA compliant cloud hosting provider?
Below are some of the technical requirements of a hosting environment aligned with the HIPAA / HITECH security rulings that must be addressed during assessment:
- CE’s and BA’s must securely back up data to the point of having “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii) (A)).
- Data must be recoverable – You must be able to fully “restore any loss of data” (CFR 164.308(7)(ii) (B)).
- Data is to be kept off-site – per HIPAA Security Final Rule (CFR 164.308(a)(1)).
- Data must be frequently backed up – per HIPAA Security Final Rule (CFR 164.308(a)(1)).
- Safeguards must continue in recovery mode – (CFR 164.308(7)(ii) (C)).
- Encrypt or destroy – HITECH says to encrypt or destroy data at rest to secure it (Section 13402(h) of Title XIII HITECH Act); the HIPAA Security Rule says that data being transmitted must be encrypted (CFR 164.312(e)(1)(B)).
- Documented procedures of the data backup and recovery plan – Policies and procedures (CFR 164.312(b)(1)) and documentation (CFR 164.312(b)(2)(i)) HIPAA Security Final Rule.
- Testable recovery – Law requires procedures be implemented for periodic testing and revision of contingency plans.” (CFR 164.308(7)(ii) (D)).
To learn more about technical safeguard controls for PHI in the cloud, please join Sean Bruton, VP of Product Management at HOSTING, for a can’t miss webinar, Assessing Your Hosting Environment for HIPAA Compliance, on Thursday, June 5 at 3 p.m. EDT.