The HIPAA Final Rule and Staying Compliant in the Cloud

September 18, 2013 No Comments »
The HIPAA Final Rule and Staying Compliant in the Cloud

On March 26, 2013, the HIPAA Omnibus Final Rule went into effect. The date for fulfilling the new rules to stay compliant is September 23, 2013, except for companies operating under existing “business associate agreements” (BAAs)—their deadline is September 23, 2014.

As health-care and patient data moves to the cloud, HIPAA compliance follows along with it. With many vendors, consultants, and internal and external IT departments at work, the question of who is responsible for compliance comes up quite often. Not all organizations are equipped or experienced to meet the HIPAA compliance rules by themselves. Owing to the nature of the data and the privacy rules of patients, it is important to secure the data correctly the first time.

HIPAA and the Cloud

Do you have to build your own cloud HIPAA-compliance solutions from scratch? The short answer is no; solutions and consulting companies are available to help move patient data to the cloud as well as to secure it following HIPAA compliance rules and best practices.

The following checklist provides a guide to help plan for meeting the new HIPAA compliance rules.

A Cloud HIPAA Compliance Checklist

1. Ensure “business associates” are HIPAA compliant

  • Data centers and cloud providers that service the health-care industry are in the category of “business associates.”
  • A business associate can also be an entity that “creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.” This means document-storage companies and cloud providers now officially must follow HIPAA rules as well.
  • Subcontractors are also considered business associates if they are creating, receiving, transmitting or maintaining PHI on behalf of a business associate agreement.
  • Business associates must meet the compliance rules for all privacy and security requirements.

What can you do?

Ensure business associates and subcontractors sign a business associate agreement and follow the HIPAA compliance rules for themselves and any of their subcontractors. A sample business associate agreement is available on the HHS.gov website.

What happens if you are in violation?

The Office of Civil Rights (OCR) investigates HIPAA violations and can charge from $100 to $50,000 per violation. That amount is capped at $1.5 million for multiple violations. The charges are harsh to help ensure that data is safe and companies are following the HIPAA rules.

2. Data Backup

  • Health-care providers, business associates and subcontractors must have a backup contingency plan.
  • Requirements state that it has to include a backup plan for data, disaster recovery plan and an emergency-mode operations plan.
  • The backup vendor needs to encrypt backup images during transit to their off-site data centers so that data cannot be read without an encryption key
  • The end user/partner is required to encrypt the source data to meet HIPAA compliance.

What can you do?

If you handle the data backup internally, set a plan to meet HIPAA compliance and execute it. If you have external backup solution providers, ensure they have a working plan in place.

3. Security Rules

  • Physical safeguards, like access controls, must be implemented to secure the facility.
  • Develop procedures to address and respond to security breaches.
  • An additional 18 technical security standards and 36 implementation specifications also apply.

What can you do?

Put a plan in place to protect data from internal and external threats, and limit access to only those that require it.

4. Technical Safeguards

Health-care providers, business associates and subcontractors must implement technical safeguards. Although many technical safeguards are not required, they do mitigate your risk in case of a breach. In particular, encryption of sensitive data allows you to claim “safe harbor” in the case of a breach.

  • Study Encryption and decryption of electronically protected health information.
  • Use AES encryption for data “at rest” in the cloud.
  • Use strong—and highly protected—encryption-key management. This is the most sensitive and difficult item on this list; consider using split-key cloud encryption or homomorphic key management.
  • Transmission of data must be secured: use SSL/TLS or IPSec.
  • When any data is deleted from the cloud, any mirrored version of the data must be deleted as well.
  • Ensure limit access to electronic protected health information (ePHI).
  • Apply audit controls and procedures that record and analyze activity in information systems containing electronic protected health information.
  • Implement technical security measures such as strong authentication and authorization to guard against unauthorized access to ePHI transmitted over electronic communication networks.

What can you do?

Adopt strong encryption technology and develop a plan to ensure data is transmitted, stored and deleted securely. Develop a plan to monitor and control data access.

5. Administrative Safeguards

For organizations to meet HIPAA compliance, they must have HIPAA administrative safeguards in place to “prevent, detect, contain and correct security violations.” Policies and procedures are required to deal with risk analysis, risk management, workforce sanctions for non-compliance and a review of records.

  • Assign a privacy officer for developing and implementing HIPAA policies and procedures.
  • Ensure that business associates also have a privacy officer, since they are also liable for complying with the security rule.
  • Implement a set of privacy procedures to meet compliance in four areas:

Risk Analysis
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

Risk Management
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

Workforce Sanctions for Non-Compliance
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

 Review of Records
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

  • Provide ongoing administrative employee training on protected health information (PHI).
  • Implement a procedure and plan for internal HIPAA compliance audits.

What can you do?

Develop an internal plan to meet HIPAA compliance demands and have a privacy officer to implement requirements. Ensure that policies and procedures deal with analysis of risk, management of risk, policy violations, and sanctions for staff or contractors that violate the policy. Develop and maintain documentation for internal policies to meet HIPAA compliance demands, as it will help define those policies for your organization and could assist during a HIPAA audit.

About the Author

Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance.

Image courtesy of Harrygouvas

Add Comment Register



Leave a Reply