HIPAA Compliance in the Cloud

Are you on Cloud 9?

According to ClearDATA, there are seven top areas that health businesses need to have firmly in place for HIPAA compliance in the Cloud. These topics include using the public Cloud “in several key ways” to improve patients’ care and ensure PHI safety.

1) Encryption

Do you know that the Health Industry is a go-to destination for hackers? Health information contains the most complete and accurate personal health information (PHI). Currently, there are concerted efforts to ensure PHI is safe and secure in the cloud.

“Data encryption has become so important that enterprises like Google (GCP), Microsoft Azure and Amazon (AWS) already encrypt most of their health care related services.”

2) Redundancy

How do you handle Disaster Recovery? Would you lose your patient data or can it be hacked in the event of a natural disaster? Hurricanes, tornadoes, floods, or fires can and will happen. Most cloud providers have methods for securely moving and storing your data across multiple public cloud zones or data centers spread across different geographic regions.

Redundancy is a way to keep copies of your data in multiple server locations – increasing HIPAA compliance in the Cloud – just in case.

3) Transportation

Is your data safe during transportation? As reported by ClearDATA, “Human error during data transportation is often responsible for compromising data encryption.” Some cloud services offer physical as well as online movement of your data.

Keep your business to yourself and protect your clients by easily moving large and small amounts of data to and from the Cloud with reputable resources. And remember, you should always have business associate agreements (BAA) from all of your contractors to cover your HIPAA responsibilities, including encryption on any PHI accessed by them.

4) Testing

Ever heard of penetration testing, vulnerability scanning and intrusion prevention? Your Risk Management advisor or IT Security resources can help you check for any data problems that could put your business at risk.

Testing means getting ahead of the game and establishing solutions that keep your data processes safe. There are several third party testing resources for Cloud data safety. Audits are also good ways to keep track of your PHI security.

5) Hardening

What is data hardening and how does it help you? Think of it in terms of physical security. A castle was built with only one entrance and no windows on the outer wall. If a building only has one door and no windows, much like a storage building, it is also more secure, barring anyone from access to any assets inside the walls.

In terms of data, hardening is to reduce the number of ways that your PHI can be accessed with the goal of reducing overall risk to that asset. If you have proven, tested and monitored systems in place that deploy new data with the same utilities and processes that are used “to control standards and follow protocols,” you can be assured your data is conformed, organized and securely stored, protecting your PHI.

6) General Security and Access Management

Any health business must restrict access their PHI, including permissions control for staff or anyone who has access to your data. What do you have in place to monitor login accounts and staff access to PHI? If someone leaves your business, is your data access automatically changed? Be sure you also have systems to ensure the safety of your data in cases of human error.

7) Logging

We are not talking about “logging into” a system here but rather keeping track of everything that happens within an environment that contains your PHI data. Keeping logs that record all activity occurring within your network and your Cloud storage helps keep your data safe from people, natural disasters and any other possible breaches or losses of your PHI.

Monitor your data regularly and you will be one step closer to HIPAA data compliance.

EHR HIPAA Compliance

If you’re considering an EHR to help you maintain HIPAA compliance in the Cloud – or concerned about compliance when utilizing one, be sure to ask your EHR vendor about the items listed above. Your EHR provider should offer solid protocols of compliance – and support for how to ensure your agency’s practices within the system are secure.

Donna Koger

Donna Koger is the HIPAA & Security Compliance Officer at PIMSY EHR. For more electronic solutions for your agency, see Mental Health Practice Management.