Does your healthcare practice use cloud computing storage and/or computing services? “Cloud computing” isn't just another buzzword that's here today and gone tomorrow. It's become a fundamental part of many healthcare providers' day-to-day operations.
As you may already know, cloud computing refers to the process of using computing resources from a remote location. Instead of storing your files locally on a computer located in your healthcare practice, for instance, you could store files on a remote server, known as the cloud. There are numerous benefits in doing so, such as the ability to access your files from any Internet-connected computer, efficient use of resources, and lower hardware costs. But covered entities should proceed with caution when using cloud computing services, as it may conflict with the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
To better educate covered entities and business associates regarding the appropriate use of cloud computing services, the Department of Health and Human Services (HHS) has published new guidelines. These guidelines are intended to assist covered entities in complying with HIPAA.
“With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI),” wrote the HHS in its Guidance on HIPAA & Cloud Computing article.
One of the questions that many healthcare professionals ask is whether or not a cloud service provider is a business associate. If a third party company with whom your practice does business is a business associate, certain precautions must be taken to ensure compliance with HIPAA. The HHS clarifies that any cloud service provider that engages with a covered entity is classified as a business associates. As such, those cloud service providers must also establish the necessary safeguards and security measures to mitigate the risk of Protected Health Information (PHI) disclosure.
Of course, HHS covers many other topics regarding HIPAA compliance and cloud computing. Cloud service providers, for instance, may only use PHI as outlined in its respective Business Associates Agreement (BAA) and Privacy Rule – or as otherwise mandated by the law.
The bottom line is that it's perfectly fine for doctors and other covered entities to use cloud computing services, but only if they abide by HIPAA and its rules. You can learn more about the HHS' newly published guidance on cloud computing by visiting http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html.