Does your medical practice store patient data on the cloud? Cloud-based computing services have become increasingly more commonplace in recent years. In fact “The Cloud” was named Word of the Year in 2012 by the American Dialect Society. But doctors and other medical professionals should proceed with caution when using cloud-based services to store their patients' data.
HIPAA and The Cloud
Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, doctors and other covered entities must take meaningful and appropriate steps to prevent the unauthorized access or use of Protected Health Information (PHI) – both paper and digital form. Because cloud-based storage services host data online, they are naturally susceptible to data breach. If a hacker is able to crack the password, he or she could gain access to enormous amounts of patient data.
The Omnibus Rule
The introduction of the HIPAA Omnibus Rule added business associates to the list of data handlers who must follow and abide by HIPAA. When HIPAA was first created, it applied strictly to healthcare organizations, insurance companies, and similar medical professionals. With the Omnibus Rule, however, this expanded to include all business associates, including cloud service providers.
What is a Cloud Storage Provider
The newly revised HIPAA defines a cloud service provider (CSP) as being any entity that maintains “protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.”
Does this mean that CSPs are prohibited in the medical setting? Not necessarily. However, the respective covered entity must create a Business Associates Agreement (BAA) to remain compliant with HIPAA and its Security Rule. We've talked about this before on our blog, but a BAA is basically a written document that details what information will be accessed or used by the business associate; how it will be used; and when the business associate may no longer use it (an expiration date).
If you're thinking about using the cloud to store personal medical data, it's essential that you choose a HIPAA-compliant CSP. They know and understand the nuances of HIPAA, and as such, take measures to secure users' data. Furthermore, you must have the CSP sign the BAA before uploading data to the cloud and using their services. Following these otherwise simple steps will ensure your healthcare practice is compliant with HIPAA while still being able to use the cloud.