Posts

Your guide to setting up a HIPAA-compliant cloud

When you put your healthcare organization’s patient data on the cloud, you enjoy a range of benefits like having to worry about computer files being erased accidentally. Furthermore, it’s simple to organize all of your data and use analytics to make the most accurate decisions possible.

At the same time, you must make sure that your cloud complies with HIPAA, the Health Insurance Portability and Accountability Act, which Congress passed in 1996. It sets forth complex rules for keeping, transmitting and using protected health information (PHI) or electronic protected health information (ePHI).

Here is an overview of things you should be doing in order to ensure HIPAA compliance.

Step 1: Finding the right cloud provider

To start, it’s helpful to obtain a copy of the online HIPAA guidelines that the Department of Health and Human Services’ Office of Civil Rights (OCR) offers. You can review them with your attorney and your IT team members.

As soon as you’re clear on those rules, you can conduct – perhaps with the help of an IT managed service provider – a thorough risk assessment. During this process, you’ll examine various cloud service providers (CSPs) to find one that guarantees every reasonable safeguard, including encryption, for your PHI. You might inspect a CSP’s headquarters yourself, or you could rely on expert security audits.

Once you’ve found a CSP you can trust, your attorney can draw up a business associate agreement (BAA). This agreement will hold your company and your CSP, which the law terms your “business associate,” to all HIPAA regulations.

You must also create a service level agreement (SLA), one that details the quality of service that your CSP will provide. For instance, how will it attempt to recover lost data? How much downtime, if any, can you expect? (The answer should be virtually none.)

Step 2: Securing your data

Under HIPAA, you’ll have to take every practicable measure to keep track of your patient data and prevent it from falling into the wrong hands.

HIPAA permits healthcare professionals to use mobile devices to access data. However, each mobile device, along with each computer and other endpoints, must be protected by multiple layers of security. Those measures should include:

  • Randomized and unique passwords
  • A powerful firewall
  • Sessions that time out
  • Two-factor authentication
  • Data encryption that meets or exceeds industry standards
  • An intrusion detection program

Likewise, you should provide regular training sessions to ensure employees are using best practices and are able to recognize the warning signs of hacks or phishing scams.

Moreover, everyone should be on a need-to-know basis. It’s illegal to share a patient’s ePHI with anyone outside of your business unless the person who’s requesting it has a HIPAA release form. (That document must include the patient’s signature.) Your cloud should also have a principle of least privilege (PoLP) security model to make sure each user only has the authority to access the information necessary for his or her job.

An automatic alert system is valuable here. You’ll receive a warning if an unauthorized person accesses your cloud data or if an authorized person does something in the cloud they’re not supposed to do.

Step 3: Reporting breaches

What happens if an unauthorized person gains access to someone’s ePHI? This could occur due to employee error or hacking.

You must tell the affected patient about the transgression within 60 days. Plus, on an annual basis, you must let the Department of Health and Human Services know about every PHI breach that happened during the past year.

If more than 500 records are breached at one time, you’re obligated to send out a press release and to tell the HHS at once. The OCR will follow up, seeking more detailed information.

Finally, as you work your way toward full HIPAA compliance, it’s wise to partner with outside IT specialists. These experienced professionals can advise and support all of your data storage efforts.

In addition to conducting the initial risk analysis, those security experts can identify and eliminate potential vulnerabilities in your network. They can also help you craft an IT budget that accounts for all security measures. As cloud technologies evolve and improve, they’ll ensure that you always stay within the law and always protect your patients.

The top 4 things that take you out of compliance

As the leader of an evolving organization, you’re expected to keep employee and customer data as secure as possible. However, aging technology and processes sometimes result in disconnects and even mistakes that interfere with regulatory compliance requirements. For example, the financial industry is rife with examples of tax and recordkeeping violations, and the penalties can range from hundreds to thousands of dollars.

So, what are common mistakes that cause otherwise responsible organizations in various fields to fall out of compliance when they make the move to new solutions? The following are some examples that you should avoid to minimize your risk of missing compliance requirements.

1. Forgetting about GDPR

General Data Protection Regulations (GDPR) went into effect in May 2018, and while they primarily affect European companies, they also affect American companies that collect, maintain or process personal data for people living in the European Union. If your business has no dealings whatsoever with folks in the EU, that’s one thing, but in today’s global economy, it’s best to be ready if you decide to expand at some point in the future.

Regardless, these regulations are a good standard to strive for. They require that businesses be aware of the types of data they collect, keep on top of security breaches and follow a clear, transparent consent process, among other things. For example, as an article in CSO explains, “Opting for a mailing list does not give the small-business owner the ability to use a customer’s data for something else unless this is outlined. Individuals should also know how to withdraw from your database at any time.”

Regardless, these regulations are a good standard to strive for. They require that businesses be aware of the types of data they collect, stay ahead of security breaches and follow a clear, transparent consent process, among other things. For example, as an article in CSO explains, “Opting in for a mailing list does not give the small-business owner the ability to use a customer’s data for something else unless this is outlined. Individuals should also know how to withdraw from your database at any time.”

It’s a good idea to keep GDPR in mind as you move to the cloud.

2. Not checking out third parties thoroughly

It’s likely that your business is partnering with at least one vendor to implement and improve cloud solutions. Perhaps a managed services provider is handling this for you, or maybe your business uses an offsite data center. In both cases, it’s still your responsibility to ensure that vendors and other subcontractors follow these guidelines to protect data and maintain the same level of security.

3. Allowing BYOD without a tight policy

Bring your own device (BYOD) policies are popular in many businesses, but they can backfire if the policies don’t follow a strict set of security protocols. For example, it’s necessary to have data encryption and strong password requirements to address any security issues with apps or software. Make sure you have an adequate BYOD policy in place when moving to the cloud or allowing employees to use their own cell phones, tablets and computers.

4. Collecting unnecessary information

Many customers don’t think twice about turning over personal data such as Social Security numbers, even for something as simple as a fishing license. However, as a general rule, if certain pieces of customer data aren’t needed, don’t collect them. If you do have a good reason for collecting the data that you do, explain your rationale to customers and share how you’ll use their data.

Aside from not having a disaster recovery plan or not providing adequate training for your employees, you should be able to meet compliance requirements if you avoid the four mistakes discussed here.

If you need help navigating the ever-changing landscape, you can always contact us. After all, shoring up your environment to meet compliance is vital to your success. Being aware of the security benefits that cloud computing offers will inform the steps you take to keep your company’s data as secure as possible.