HIPAA Compliance in the Cloud

Regulations that govern privacy are here to stay. Any entity, whether it be a hospital, a physician, an attorney or any other business associate has a duty by law to protect information. These interrelated groups rely on each other to be compliant with the regulations. Everyone who has access to patient information must be in compliance with HIPAA.
According to HIPAA, there must be proper controls around patient information, with the patient having a clear understanding as to what information is shared and some agreement from that patient as to what can be shared. Any organization considering Cloud must be able to demonstrate the required controls over their data.
Given the obvious challenges around the protection of personal health information and the associated regulations, what are some of the drivers that motivate businesses to consider the Cloud? There are a number of reasons:
  • Collaboration across business entities with minimal investment
  • Costs involved in continuously refreshing infrastructure – many organizations would like to eliminate the need to invest significant capital resources in on-going technology upgrades
  • Costs involved with hiring skilled resources to support the systems and technologies needed
  • Costs related to comprehensive security monitoring and control – system intrusion protections, data compromises, and encryption are all protections that can be achieved in a cost effective manner with the Cloud
Eventually, most organizations will be faced with a need to leverage Cloud capabilities. A simple approach to evaluate the use of the Cloud to meet HIPAA requirements can be distilled into a series of steps:
  1. Understand the specific control requirements that pertain to your organization. This may involve one, or possibly a series of regulations that require compliance.
  2. Assess the current control environment against the requirements from the regulations, and identify any gaps.
  3. Define the additional controls required to mitigate any gaps in the current environment.
Most organizations, especially hospitals, don’t know how to begin an assessment. Because
many organizations are overwhelmed by the regulation itself, they don’t move from the initial
assessment, gap identification and risk assessment.
So, in order to get beyond initial analysis paralysis, there are a few simple questions to help you get started. These include:
  • Who manages patient information?
  • Where is patient information stored and accessed?
  • Is patient information found on the organization’s laptops, mobile or other portable devices ?
As an organization goes through their assessment, it will be important to start the dialogs with potential Cloud providers to understand how they are addressing HIPAA concerns. All health-oriented businesses that are using, accessing, storing, and sharing patient information must realize the importance of meeting HIPAA/HITECH (Health Information Technology for Economic and Clinical Health) requirements, regardless of the technology they put in place.