In our recent blog post, Aligning HIPAA Compliance with the Healthcare Cloud, we mentioned how the healthcare industry is increasingly adopting cloud services. However, while healthcare IT professionals recognize the benefits of leveraging cloud solutions to protect and optimize protected health information (PHI), they are often challenged to find a compliant cloud hosting provider that can meet their organization’s security and compliance requirements. Before you commit to a cloud solution, understand what it means to be HIPAA-compliant and how a prospective cloud hosting provider plans to protect your PHI in the cloud.
Understand What HIPAA Compliance Really Means
Many cloud hosting companies try to dazzle prospective customers with official-sounding claims that are often meaningless. Below are some examples pulled from actual websites.
- “HIPAA Business Associate”
- “100% HIPAA”
- “Guaranteed HIPAA Compliant”
Understanding what it means to be HIPAA-compliant will help you avoid being swayed by these claims. Being in compliance means that you have assessed the risks and threats as they pertain to the way you handle your PHI – and that you have implemented a security program that adequately addresses those risks. Keep in mind that HIPAA compliance goes beyond the cloud. Organizations are also responsible for non-digital threats and vulnerabilities, such as an employee accidentally leaving patient file at his local Starbucks. Is your cloud hosting provider responsible for that breach? Maybe not. However, they should help you develop processes and policies that protect PHI in all forms.
Ask for Specific Details on the Cloud Provider’s HIPAA Compliance Solutions
A compliant cloud hosting provider should provide full visibility into how they protect your PHI as well as how their services directly impact your risk profile and compliance status. They should readily sign a Business Associate Agreement which clearly delineates compliance activities and responsible parties.
Some providers will try to assure you that they are “100% compliant”. Before signing on the dotted line, ask them for specific details on how they proactively monitor and maintain your organization’s compliance status. Below are some additional questions to ask that can help you make an informed decision.
- Can they back up their HIPAA compliance claims with independent audits? These audits should cover the scope of the assessment, the controls framework used and how you can leverage this compliance.
- Have they mapped their services and security controls to the HIPAA/HITECH requirements?
- Do they provide HIPAA compliance services through a third-party vendor? If so, have they and their subcontractors been independently assessed?
- How do they secure your PHI? Do they offer only one layer of protection? Or do they utilize a layered security approach that integrates DDoS (Distributed Denial of Service) mitigation, firewalls, multifactor authentication, antimalware and so forth?
- Is your PHI kept separate from other tenants on the infrastructure, including your network traffic, data and virtual machines?
Stay informed and avoid the hype around HIPAA compliance. Watch our on-demand webinar now – HIPAA Compliance: Simple Steps to the Healthcare Cloud.