Cloud computing has exploded in terms of usage and popularity in recent years, with companies of all shapes and sizes using it to streamline their operations. As a healthcare practitioner, however, there are certain precautions you must take in order to remain compliant with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Opting to use a cloud-computing service may seem harmless enough, but it could place your patients' data at risk for unauthorized disclosure.
What is Cloud Computing?
Before we reveal of the nuances of HIPAA in regards to cloud computing, let's first discuss the definition of “cloud computing.” Basically, cloud computing refers to the use of computer resources from a remote location. Rather than storing data locally on your computer hard drive, for instance, you can store it remotely on the cloud. Cloud computing offers several key benefits, including more efficient use of resources, remote access, automated backups and more.
Cloud Providers are Business Associates
The Department of Health and Human Services (HHS) view cloud-computing service providers as business associates. This has long been the case ever since HIPAA was first created, although it was made even clearer in the recent Omnibus Rule. This 563-word document was created to enhance HIPAA with up-to-date modern technology trends, including the use of cloud computing. The final Omnibus Rule clarified the definition of a covered entity to include any person or organization that “creates, receives, maintains, or transmits” Protected Health Information on behalf of a covered entity.
Can I Use Cloud-Computing Services?
The good news is that doctors and other covered entities may still use cloud-computing services while remaining compliant with HIPAA. Before doing so, however, you should ask the respective cloud-service provider to sign a Business Associates Agreement (BAA). This written contract is used to establish a relationship with third-party organizations whom access the covered entity's PHI. Among other things, BAAs must establish the permissible use of PHI, and provide that the associate will not use the PHI other than as permitted.
Assuming the third-party organization proceeds to sign the BAA, you may use them for cloud-computing services under the guidelines set forth on the BAA. Keep in mind, however, that BAAs have an expiration date, at which point the third-party organization may no longer access patient data or other PHI.