2014 has seen a dramatic shift in cloud acceptance by the healthcare industry. Previously, healthcare organizations were reluctant to embrace cloud technology, citing data security and HIPAA compliance concerns. However, according to the 2014 HIMSS Analytics Cloud Survey released in June, 83 percent of healthcare organizations use cloud services in some capacity. Customer service, security and availability and a cloud soluton provider’s (CSP’s) willingness to sign a Business Associate Agreement (BAA) are key factors that healthcare organizations should consider when aligning healthcare operations in the cloud with HIPAA compliance regulations.
Business Associate Agreements
When evaluating potential CSPs, 65% of HIMSS survey respondents listed a CSP’s willingness to enter into a HIPAA business associate agreement (BAA) as the most important criteria. Under the HITECH act, any HIPAA business associate and its subcontractors – including CSPs – are subject to audits by the Office of Civil Rights (OCR) and can be penalized for noncompliance with fines up to $1.5M. Many CSPs shy away from entering into a BAA, claiming that they might not know if they are storing protected health information (PHI). However, according to leading IT research firm, Gartner, “A provider’s willingness to sign a BAA signals that it has given thoughtful consideration of the requirements, has an acceptance of responsibilities under the law and contributes to the defensibility of the HIPAA-covered entity should the business associate commit or be a party to a HIPAA violation.”
Healthcare organizations are required to conduct their own HIPAA compliance risk assessments. However, engaging with a compliant hosting solutions provider who is willing to sign a BAA provides assurance they are committed to creating a complete and defensible solution for putting PHI into the cloud.
Security and Availability
Healthcare organizations have stringent power, network and availability requirements of their CSPs. Nearly half of respondents mandate availability requirements at or above 99.99%. The difference between 99.0 and 99.9 percent availability yields a substantial difference in potential downtime:
- 99.0 percent availability represents almost four days of downtime a year.
- 99.9 percent availability represents less than one hour of downtime.
Prior to engaging with a CSP, healthcare organizations should ask detailed questions about their availability, security measures for protecting data assets and disaster recovery solutions.
Two-thirds of respondents reported challenges with their CSPs. Many of these stem from their perceived lack of visibility into the CSP’s ongoing operations, customer service, and cost/fees associated with the solution. This feedback indicates that healthcare organizations are still looking for a “good fit” with their CSPs and want additional insights into the benefits of their cloud solutions. Nearly half of respondents indicated that having access to metrics from their CSP allowed them to measure augmentation of capacity, improvement of financial metrics and improvement of time to deploy their organization’s solution by using cloud services. Therefore, it is critical for an organization to understand the business operations of the CSP. They should also map the CSPs standard metrics back to their overall business goals, and request additions or changes where needed.
Join HOSTING on Thursday, July 17th at 3:00 pm EDT for our live webinar, HIPAA Compliance: Simple Steps to the Healthcare Cloud. Our panel of healthcare and compliance experts will discuss how to align healthcare operations in the cloud with HIPAA compliance regulations required by the 2013 omnibus rule for HIPAA / HITECH. They will provide real-world examples of how today’s healthcare organizations have moved to the cloud while achieving HIPAA compliance from multiple perspectives, including: financial costs, impact on clinical research, operations and security solutions, and benefits and challenges of a healthcare cloud.
- Johan Hybinette, Chief Information Security Officer for HOSTING
- Frank Condon, VP Strategic Alliances for HOSTING
- Sean Bruton, VP Product Management for HOSTING
- Lance Goudzwaard, Chief Commercial Officer for 3tSystems