Factors that Cloud Service Providers Need to Address for Maintaining HIPAA Compliance

We constantly see that healthcare and insurance providers have to adhere to strict regulations to ensure the safety of consumer’s data. The introduction of latest cloud technology services and the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act have brought a significant transformation in the Healthcare sector. The HITECH Act has made it compulsory for healthcare organizations to follow the guidelines laid down under the Health Insurance Portability and Accountability Act (HIPAA). As the number of health institutions depending on cloud services has increased, to reduce costs and infrastructure complexities, healthcare IT executives are faced with the daunting challenge to meet the standards of HIPAA.

While working with cloud service providers, IT executives deal with mainly two types of obstacles with regards to meeting the HIPAA norms:

• Vendors that offer online managed cloud services are fully responsible for data protection, disaster recovery planning, systems redundancy and all general security practices asked by HIPAA.
• Unmanaged cloud service providers need not fulfill all the requirements asked for by HIPAA, as their clients are also held responsible for some of the data protection issues.

Identifying systems that need to meet HIPAA standards — Enabling service providers to identify which systems need to meet the standards underlined by HIPAA is an integral part. Healthcare associations need to first identify all systems that deal with Protected Health Information (PHI). This helps them in determining which system needs to be evaluated so that conformity can be established with HIPAA privacy and security regulations.

Factors that Cloud Service Providers need to Ensure:

Business Associate Agreement (BAA) — The first step towards ensuring that services provided by the healthcare and insurance providers are HIPAA-compliant is signing the Business Associates Agreement (BAA). Signing of a BAA specifies the fact that it would comply with the HIPAA requirements to protect the privacy and security of PHI. Apart from that, it also offers an idea of what the supplier would do for the covered entity.

The location of the Data Center — Another factor of maintaining HIPPA compliance is that the cloud service provider must be able to show where the users’ data is stored at any point of time. This is an important factor in case of an audit as the provider may be needed to document the location of data of all their clients.

Data Access Controls and Regulations — The cloud provider must be able to demonstrate a number of different systems and data access controls. During an audit, they might need to show how user access to critical data is both controlled and consistently maintained— access to the data center, facility equipment, systems, as well as customer data being accessible solely to authorized individuals.  

Data Encryption in Flight and at Rest — One of the critical components that cloud service providers need to ensure in keeping the data protected and HIPAA compliant is data encryption. The cloud service providers needs to encrypt data in-flight, at-rest and during transmission via industry standard—SSL transmission. It is a must for service providers to be able to continuously monitor the availability of systems apart from compliance to the Service Level Agreement (SLA). They are also needed to ensure that the data is complete and correct through real time data validation.

Ongoing Auditing and Reporting — In maintaining HIPAA compliance, a cloud service provider also needs to provide proof that the association conducts ongoing log and security reviews in a bid to ensure that the data, systems and environments are safe. These reviews can range from anything between monthly engineering reviews, third-party audits or access reports.  

Employee Access Controls — The service providers must also fulfill the criteria of conducting thorough background check of employees who have access to client data apart from conducting regular security reviews, as policies change over time. This is a very important factor as it helps in guarding against unauthorized use of PHI.

The adherence to the above factors helps the cloud service providers maintains the HIPAA compliance. However, in an era where health policies and regulations keep changing constantly, the complexity associated with mere maintenance of the compliance doesn’t end here. The cloud service providers need to keep an eye out, as their responsibility is not only to maintain HIPAA compliance but also to avoid future data breaches.