The default response for those charged with HIPAA security is to say ‘no’ to cloud computing. Why? Clouds are not under direct control, they are not typically up on existing and emerging healthcare regulations, and, most importantly, they are new and scary.
There is a clear need, however, to rethink the role of cloud computing by those charged with HIPAA security. The efficiencies that can be gained by leveraging public, private, and hybrid clouds are just too compelling.
The trick is to understand the existing requirements, and then understand how the emerging use of cloud computing could provide compliant and secure HIPAA solutions. In many cases, leveraging cloud computing will improve upon the best practices and technology that exist today.
Here are three steps to using HIPAA in the cloud:
Step 1: Understand the details of the requirements.
One of the things that I find most frustrating is dealing with myths versus reality when it comes to HIPAA Security and cloud adoption. The “addressable” requirements of the security rules tend to be the most difficult to meet. Thus, these addressable requirements have a tendency to fall off of the radar, and therefore could create issues with compliance.
Okay, let’s go to school. HIPAA Security has three overall sections: Administrative, physical, and technical. Each section outlines things that should be done to remain compliant through the “implementation specification.” An example is the “technical safeguard” section that defines the standard for transmission security, and outlines how data should be protected through encryption. This requirement is addressable considering that encrypting all network traffic could be either impossible or an undo hardship.
If you think “addressable” means, “only do if it’s not hard,” however, then you could quickly run afoul of HIPAA Security. There are guidelines you should read that define the effort that should be made, including risk analysis and documentation around the choices for the implementation of the technical solution … very simply put. The objective is to meet the letter and the spirit of the regulations, or else you’re not in compliance with the law.
Step 2: Understand the role of the cloud provider.
Now that I scared you a bit, and now that we understand some of the ground rules around HIPAA Security, it’s time to consider the role of cloud computing. First you need to realize that the cloud provider is an active participant, and thus must also adhere to security requirements, such as employee screening and physical access requirements.
To that point, you need a cloud computing provider that understands HIPAA, but most importantly, understands how to be compliant. This means they should become a trusted agent and owner of your data, and meet all of the security requirements, including encryption, integrity controls, transmission protections, monitoring, management, and physical security. They will need to pass the same audits, and should meet or exceed your expectations and requirements. You’ll find that, in many instances, they are much more cost efficient and less risky than the traditional processes you leverage today from those who support HIPAA data.
This is not breaking news. Consider the use of remote datacenters and co-location providers over the last decade or so. Most public cloud computing providers that support HIPAA have pre-made plans for those looking to off-load all or portions of the processing.
Step 3: Create a business case, and then map a path to the cloud.
Keep in mind that cloud computing is not for all who have to deal with HIPAA security. In some instances, it’s not cost effective when considering the internal processing risks, cost of migration, or ongoing operational costs. You have to do your homework before making the jump.
In the vast majority of cases, cloud computing and HIPAA security are a good mix, however, assuming you partner with a provider that knows what they are doing around HIPAA Security. To get comfortable with a provider, you need to ask the right questions and review their existing documentation.
Past experience is the best indicator of success. Make sure you check references and the results of audits, if you can. Certainly, you need to perform your own audits to determine any issues with compliance.
In reality, this is the right move for most who have to deal with HIPAA compliance. You outsource the process of dealing with HIPAA security to those who are best equipped and funded to deal with it. Through economies of scale, a cloud computing provider that specializes in HIPAA compliance should both save you money as well as make your life easier.