Last week, Frank Condon, VP of Strategic Alliances at HOSTING, moderated our first Healthcare Community Webinar entitled, HIPAA Compliance: Steps to the Healthcare Cloud. Designed to be an engaging, thought-provoking forum for IT professionals, our panel of healthcare and IT experts provided real world examples of how today’s healthcare organizations have moved to the cloud while achieving HIPAA compliance. The perspectives and experiences shared included financial costs, operations and security solutions, and the impact cloud compliance can have on clinical research. Missed it? Below are some key takeaways.
HIPAA Compliance Starts with Security
According to Johan Hybinette, Chief Information Security Officer (CISO) for HOSTING, HIPAA compliance is “large, hard to interpret and not as structured as other compliance programs.” Organizations seeking to achieve HIPAA compliance are often challenged to find guidance since the HIPAA regulations only tell them what they need to do in order to be compliant – not how to do it.
Hybinette suggests that small to mid-sized organizations who want to achieve HIPAA compliance consider moving their business-critical data and applications to a cloud hosted by a compliant cloud solution provider (CSP) who holds certifications in SOC, SOC 2, and/or SOC 3. Since those certifications have the same controls as HIPAA, organizations can often achieve HIPAA compliance for a fraction of the investment required to build their own compliant environment.
Hybinette also offered three key questions that organizations should ask any cloud provider prior to engaging with them.
- “Where is my data my data being stored?” – CSPs should have local sites to host your data. For example, if your company is based in North America, your data should reside there.
- “How long does it take you to report an incident when it happens?”
- “How long does it take you to mitigate an incident when it happens?”
Cloud Providers Must Take an Active Role in Protecting PHI
According to Sean Bruton, VP of Product of Management for HOSTING, the institution of the HIPAA omnibus final rule means that organizations that handle patient data can now be held directly liable for its security. It signifies the erosion of the “janitor clause” in which organizations – including CSPs – who may have had casual access to protected health information (PHI) but didn’t make meaningful use of it didn’t have any liability for protecting it. With the final omnibus rule, that liability is being shared between healthcare organizations and their outside service providers, including their cloud hosting partners.
Bruton emphasizes that CSPs “should absolutely sign a Business Associate Agreement (BAA) which specifically outlines who is responsible for managing patient data and how it maps back to HIPAA.”
Protecting Patient Data is Just the Beginning
While many of the conversations that healthcare organizations have with cloud service providers cover security, compliance, liability and the CSP’s willingness to sign a BAA, HIPAA goes well beyond those controls. As Bruton notes, “Being PHI-ready means a lot more than simply protecting the data. It means keeping it available, online and performing well to support clinical decisions; and to support the quality, speed and cost of your healthcare.”
HIPAA isn’t just a security obligation. It encompasses availability, access to data, resiliency against emergencies, downtime and so forth. Organizations must have a cloud platform that not only has those controls built in but also provides real, testable strategies to prove that critical patient information is readily available.
Don’t Pay for a CSP’s Learning Curve
Bruton emphasized that healthcare applications have become increasingly complex. Therefore, organizations seeking to achieve HIPAA compliance should align with a cloud leader that is familiar with their applications and has a track record for working on those platforms. Organizations that engage with a CSP that doesn’t have direct experience with their environment ultimately pay the cost for their learning curve which can ultimately impact the quality of their patient care.
The HOSTING Healthcare Community Webinar series is intended to be an engaging, thought provoking and valuable forum for healthcare IT professionals. Gain more insights about the future of healthcare by viewing our on-demand webinar, HIPAA Compliance: Steps to the Healthcare Cloud or by downloading our recently published HIPAA Compliance Guide.