Posts

Your guide to setting up a HIPAA-compliant cloud

When you put your healthcare organization’s patient data on the cloud, you enjoy a range of benefits like having to worry about computer files being erased accidentally. Furthermore, it’s simple to organize all of your data and use analytics to make the most accurate decisions possible.

At the same time, you must make sure that your cloud complies with HIPAA, the Health Insurance Portability and Accountability Act, which Congress passed in 1996. It sets forth complex rules for keeping, transmitting and using protected health information (PHI) or electronic protected health information (ePHI).

Here is an overview of things you should be doing in order to ensure HIPAA compliance.

Step 1: Finding the right cloud provider

To start, it’s helpful to obtain a copy of the online HIPAA guidelines that the Department of Health and Human Services’ Office of Civil Rights (OCR) offers. You can review them with your attorney and your IT team members.

As soon as you’re clear on those rules, you can conduct – perhaps with the help of an IT managed service provider – a thorough risk assessment. During this process, you’ll examine various cloud service providers (CSPs) to find one that guarantees every reasonable safeguard, including encryption, for your PHI. You might inspect a CSP’s headquarters yourself, or you could rely on expert security audits.

Once you’ve found a CSP you can trust, your attorney can draw up a business associate agreement (BAA). This agreement will hold your company and your CSP, which the law terms your “business associate,” to all HIPAA regulations.

You must also create a service level agreement (SLA), one that details the quality of service that your CSP will provide. For instance, how will it attempt to recover lost data? How much downtime, if any, can you expect? (The answer should be virtually none.)

Step 2: Securing your data

Under HIPAA, you’ll have to take every practicable measure to keep track of your patient data and prevent it from falling into the wrong hands.

HIPAA permits healthcare professionals to use mobile devices to access data. However, each mobile device, along with each computer and other endpoints, must be protected by multiple layers of security. Those measures should include:

  • Randomized and unique passwords
  • A powerful firewall
  • Sessions that time out
  • Two-factor authentication
  • Data encryption that meets or exceeds industry standards
  • An intrusion detection program

Likewise, you should provide regular training sessions to ensure employees are using best practices and are able to recognize the warning signs of hacks or phishing scams.

Moreover, everyone should be on a need-to-know basis. It’s illegal to share a patient’s ePHI with anyone outside of your business unless the person who’s requesting it has a HIPAA release form. (That document must include the patient’s signature.) Your cloud should also have a principle of least privilege (PoLP) security model to make sure each user only has the authority to access the information necessary for his or her job.

An automatic alert system is valuable here. You’ll receive a warning if an unauthorized person accesses your cloud data or if an authorized person does something in the cloud they’re not supposed to do.

Step 3: Reporting breaches

What happens if an unauthorized person gains access to someone’s ePHI? This could occur due to employee error or hacking.

You must tell the affected patient about the transgression within 60 days. Plus, on an annual basis, you must let the Department of Health and Human Services know about every PHI breach that happened during the past year.

If more than 500 records are breached at one time, you’re obligated to send out a press release and to tell the HHS at once. The OCR will follow up, seeking more detailed information.

Finally, as you work your way toward full HIPAA compliance, it’s wise to partner with outside IT specialists. These experienced professionals can advise and support all of your data storage efforts.

In addition to conducting the initial risk analysis, those security experts can identify and eliminate potential vulnerabilities in your network. They can also help you craft an IT budget that accounts for all security measures. As cloud technologies evolve and improve, they’ll ensure that you always stay within the law and always protect your patients.